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This  report  contains  follow-up  information  on  recommendations 
from  an  electronic  data  processing  audit  of  the  department's 
computer-based  systems  (93DP-28).   Our  initial  recommendations 
addressed  improving  controls  over  the  department's  electronic 
data  processing  environment.   Of  the  41  initial  individual 
recommendations,  21  are  fully  implemented,  1  is  partially 
implemented,  18  are  not  implemented,  and  1  is  being 
implemented.   Follow-up  areas  include: 


► 


► 


Increasing  electronic  access,  systems  development, 
organizational,  and  physical  security  controls. 

Improving  data  integrity  of  criminal  justice  and  registration 
and  titling  applications. 

Strengthening  cooperation  between  state  and  local 
governments. 
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EDP  AUDITS 


Electronic  Data  Processing  (EDP)  audits  conducted  by  the  Office  of  the  Legislative  Auditor  are 
designed  to  assess  controls  in  an  EDP  environment.  EDP  controls  provide  assurance  over  the 
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the  audit  work,  the  audit  staff  uses  audit  standards  set  forth  by  the  United  States  General 
Accounting  Office. 


Members  of  the  EDP  audit  staff  hold  degrees  in  disciplines  appropriate  to  the  audit  process. 
Areas  of  expertise  include  business  and  public  administration. 
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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

We  conducted  a  follow-up  review  of  our  EDP  audit  of  the  Department  of 
Justice  (93DP-28)  internal  controls  relating  to  its  computer-based  systems.   We 
originally  reviewed  the  department's  general  controls  as  they  relate  to  the  data 
processed  on  the  state  mainframe  computers  housed  at  the  National  Guard  Armory 
and  the  Mitchell  Building. 

In  addition,  we  reviewed  two  of  the  department's  major  computer  applica- 
tions: Criminal  Justice  Information  Network  and  Vehicle  Registration  and  Titling. 
Our  initial  recommendations  addressed  improving  controls  over  the  department's 
electronic  data  processing  environment.  Of  the  41  initial  recommendations,  21  are 
fully  implemented,  1  is  partially  implemented,  18  are  not  implemented,  and  1  is 
being  implemented.  This  report  summarizes  the  implementation  status  of  the 
original  audit  recommendations. 

We  thank  the  Attorney  General,  department  personnel,  and  local  govern- 
ment officials  for  their  cooperation  and  assistance  throughout  our  follow-up. 


Respectfully  submitted, 


Scott  A.  Seacat 
Legislative  Auditor 


Office  of  the  Legislative  Auditor 

EDP  Follow-up  Audit  Report 


Department  of  Justice 


Members  of  the  audit  staff  involved  in  this  audit  were  Ken  Erdahl  and 
Bill  Kuhl. 
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Introduction 


We  performed  a  follow-up  review  of  our  electronic  data  processing 
audit  (93DP-28)  of  the  Department  of  Justice's  computer-based 
systems.   In  May  1993,  we  issued  our  original  report  which 
contained  41  recommendations  for  improving  controls  in  Depart- 
ment of  Justice's  electronic  data  processing  environment.   This 
report  outlines  the  implementation  status  of  the  recommendations 
contained  in  our  original  report. 


General  Background 


The  Department  of  Justice  was  created  on  September  1,  1972, 
through  the  Executive  Reorganization  Act  of  1971.   The  Attorney 
General,  who  is  elected  to  serve  a  four-year  term,  heads  the  depart- 
ment.  The  department's  primary  functions  are  to  assist  and  coordi- 
nate statewide  law  enforcement,  legal  services,  and  public  safety. 
The  department  operates  several  electronic  data  processing  applica- 
tions to  aid  in  performing  these  functions  including:   Criminal 
Justice  Information  Network  (CJIN)  Hot  File,  CJIN  Criminal 
History  database,  and  the  Vehicle  Registration  and  Titling  (R&T) 
application. 

CJIN  Hot  File  and  CJIN  Criminal  History  database  operate  on  an 
IBM  4381  mainframe  computer  located  at  the  National  Guard 
Armory  in  Helena.   The  Department  of  Administration  owns  and 
maintains  this  mainframe  and  leases  it  to  the  Department  of  Justice. 
The  Vehicle  Registration  and  Titling  application  is  now  on  the 
Department  of  Administration's  mainframe  computer  located  in  the 
Mitchell  Building.   Since  application  integrity  is  dependent  on 
consistent  and  reliable  operation  of  computers,  we  audited  the 
general  control  environments  as  they  relate  to  the  applications 
tested. 

The  department's  Computer  Services  and  Planning  Division  is 
authorized  to  employ  24  full-time  equivalents  (FTE).  The  division 
is  responsible  for  operating  the  mainframe  computer  at  the  National 
Guard  Armory,  providing  application  programming  and  support, 
supporting  and  maintaining  over  800  microcomputers,  and  oversee- 
ing the  daily  operations  of  CJIN. 
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The  CJIN  Services  Section  is  the  control  agency  for  the  CJIN  Hot 
File.    CJIN  services  staff  (3  FTE)  provide  operator  training, 
assistance,  and  maintenance  to  97  law  enforcement  agencies 
throughout  the  state  which  use  the  Hot  File.   The  Hot  File  is  a 
CJIN  application  for  aiding  law  enforcement  personnel  in  locating 
missing  persons,  wanted  persons,  and  stolen  property.   According 
to  department  records,  799  people  and  property  items  entered  by 
Montana  agencies  were  located  during  1994.  These  included  374 
wanted  persons,  205  stolen  vehicles,  and  134  missing  persons.   As 
of  August  1994,  the  Hot  File  contained  over  9,600  wanted  person 
records  and  1,200  stolen  vehicle  records. 


The  department's  Law  Enforcement  Services  Division  employs 
eight  FTE  in  its  Criminal  History  Record  Program.   Program 
personnel  collect  and  maintain  criminal  history  information  which 
is  input  into  the  Criminal  History  database.   The  database  contains 
information  on  persons  arrested  and  fingerprinted  in  Montana.   The 
database  maintains  historical  information  for  each  person  including 
arrests,  charges,  and  dispositions.   The  Criminal  History  database 
contains  historical  information  for  over  125,000  individuals  finger- 
printed since  1940.  During  1993  and  1994,  department  personnel 
entered  approximately  55,000  arrests  into  the  Criminal  History 
database  from  fingerprint  cards. 

Both  Hot  File  and  Criminal  History  information  are  available  to 
local,  state,  and  national  law  enforcement  or  criminal  justice 
agencies  through  CJIN.   CJIN  electronically  links  local,  state,  and 
national  law  enforcement  terminals,  providing  access  to  national 
and  Canadian  criminal  justice  information. 

The  Vehicle  Registration  and  Titling  application  is  the  state's 
system  for  registering,  titling,  and  licensing  vehicles.   The  depart- 
ment's Title  and  Registration  Bureau,  located  in  Deer  Lodge 
employs  57  FTE.   Over  250  county  employees  in  56  counties 
collect  fees  and  input  vehicle  information  onto  the  state  system. 
The  information  is  used  to  determine  fees  and  taxes  and  is  an  aid  to 
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law  enforcement  in  tracking  and  identifying  stolen  or  missing 
vehicles. 


Background  on  Original 
Audit 


During  our  initial  audit  (93DP-28),  we  reviewed  the  department's 
general  controls  as  they  related  to  the  department's  data  processing 
on  the  two  mainframe  computers.   We  interviewed  department 
personnel  to  gain  an  understanding  of  the  hardware  and  software 
environment  at  the  Department  of  Justice.   We  reviewed  applica- 
tion development  and  enhancement  documentation.    We  also 
obtained  and  reviewed  EDP  policies  and  procedures  manuals.   We 
visited  field  offices  to  ensure  policies  and  procedures  were  imple- 
mented as  intended  by  department  headquarters. 

We  conducted  an  application  control  review  of  two  of  the  depart- 
ment's major  EDP  systems  (Criminal  Justice  Information  Network 
and  Registration  and  Titling).   We  reviewed  input,  processing,  and 
output  controls  for  these  systems  to  ensure  the  systems  were 
meeting  their  objectives.   We  also  determined  if  controls  over  data 
were  effective  and  efficient,  as  well  as  adequate  to  ensure  the 
accuracy  of  data  during  the  various  processing  phases. 


EDP  Audit  General 
Controls 


An  EDP  audit  involves  a  review  of  management's  controls  imple- 
mented to  protect  assets  and  limit  losses.  In  an  automated  environ- 
ment the  process  for  reviewing  controls  are  different  from  those 
used  in  a  manual  environment.   However,  the  objective  of  ensuring 
the  reliability  of  controls  is  the  same.    A  general  control  review 
includes  an  examination  of  the  following  controls: 

Organizational  -  apply  to  the  structure  and  management  of  the 
computing  and  information  services  facility.   Specific  types  of 
organizational  controls  include  segregation  of  duties,  assignment  of 
responsibilities,  rotation  of  duties,  and  supervision. 

Procedural  -  operating  standards  and  procedures  which  ensure  the 
reliability  of  computer  processing  results  and  protects  against 
processing  errors. 

Hardware  and  Software  -  controls  within  the  operating  system 
software  and  hardware  which  monitor  and  report  system  error 
conditions. 


Page  3 


Chapter  I 

Introduction  and  Background 


System  Development  -  oversight  and  supervisory  controls  imposed 
on  development  projects.   Controls  include  feasibility  studies, 
development,  testing  and  implementation,  documentation,  and 
maintenance. 

Physical  Security  -  physical  site  controls  including  security  over 
access  to  the  computer  facility,  protection  devices  such  as  smoke 
alarms  and  sprinkler  systems,  and  disaster  prevention  and  recovery 
plans. 

Electronic  Access  -  controls  which  allow  or  disallow  user  access  to 
electronically  stored  information  such  as  data  files  and  application 
programs. 


EDP  Audit  Application 
Controls 


Application  controls  are  specific  to  a  given  application  or  a  set  of 
programs  that  accomplish  a  specific  objective.   An  application 
controls  review  consists  of  an  examination  of  input,  processing, 
and  output  controls.   The  application  documentation  and  audit  trail 
are  also  considered.   Applications  must  operate  within  the  general 
controls  environment  in  order  for  any  reliance  to  be  placed  on 
them.   Application  controls  are  defined  as  follows: 

Input  -  ensure  all  data  is  properly  encoded  to  machine  form,  all 
entered  data  is  approved,  and  all  approved  data  is  entered. 

Processing  -  ensure  all  data  input  is  processed  as  intended. 

Output  -  all  processed  data  is  reported  and  properly  distributed  to 
authorized  individuals. 


Follow-up  Scope 


Our  original  audit  generated  41  individual  recommendations  and 
the  Department  of  Justice  concurred  with  all  41.   We  conducted 
follow-up  work  on  the  policies  and  procedures  implemented  by  the 
Department  of  Justice  resulting  from  recommendations  of  our 
initial  EDP  audit.   Our  follow-up  objective  was  to  determine  the 
implementation  status  of  the  original  audit  recommendations 
relating  to  general  and  application  controls.   We  reviewed  agency 
documentation  and  interviewed  staff  to  evaluate  implementation  of 
the  prior  audit  recommendations.   In  addition,  we  traveled  to  five 
local  law  enforcement  agencies  and  five  county  treasurer's  offices. 
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Follow-up  Results 


Of  the  41  initial  individual  recommendations,  we  determined  the 
Department  of  Justice  fully  implemented  21  recommendations, 
partially  implemented  1  recommendation,  is  in  the  process  of 
implementing  1  recommendation,  and  did  not  implement  18 
recommendations.    We  summarize  the  status  of  the 
recommendations  in  Chapter  II  of  this  report. 


Table   1 


I«ple»entation  Status  of  Recoimendations 


Implemented 
Partially  Implemented 
Is  Being  Implemented 
Not  Implemented 

Total  Recommendations 


21 

1 

1 

18 

41 
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Introduction 


This  chapter  discusses  the  status  of  each  recommendation  made  in 
our  initial  report.   Discussion  of  each  recommendation  is  organized 
as  follows: 


1 .  Audit  area. 

2.  Recommendation. 

3.  Initial  agency  response. 

4.  Present  implementation  status. 


General  Controls 


General  controls  are  developed  by  the  computer  user  to  protect 
assets  and  limit  losses.   In  our  initial  review  of  the  Department  of 
Justice's  general  control  environment,  we  found  procedural, 
hardware  and  software  controls  adequate.   However,  we  noted 
weaknesses  in  access,  system  development,  organizational,  and 
physical  controls.   In  our  original  audit,  we  made  five 
recommendations  related  to  general  control  concerns. 


Access  Controls 


Access  controls  provide  safeguards  designed  to  ensure  computer 
system  resources  are  properly  used.   Logon  IDs  and  passwords 
control  electronic  access  to  the  department's  computer  applications, 
computer  programs,  and  computer  data.   System  and  application 
programmers  have  the  highest  degree  of  technical  expertise  in  the 
computer  processing  facility  and  therefore,  play  an  important  role 
in  maintaining  the  system.   However,  managers  have  the  primary 
responsibility  for  maintaining  adequate  controls.   Without  adequate 
controls,  computer  specialists  could  alter  program  procedures  and 
data  for  personal  gain  without  leaving  a  trail. 

Proper  access  controls  assist  in  the  prevention  or  detection  of 
deliberate  or  accidental  errors  caused  by  improper  use  or  manipula- 
tion of  data  files,  unauthorized  or  incorrect  use  of  a  computer 
program,  and/or  improper  use  of  computer  resources.   The  depart- 
ment's security  officer  writes  rules  which  limit  access  to  specific 
areas  of  the  system.   Assigning  limited  access  based  on  job  require- 
ments facilitates  checks  and  balances  in  the  system.   This  approach 
prevents  users  from  inadvertently  or  willfully  executing  programs 
or  changing  data  unrelated  to  their  job. 
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We  made  three  recommendations  related  to  electronic  access 
controls.   The  present  status  of  the  findings  is  discussed  in  the 
following  sections. 


Programmer's  Access 

Should  be  Restricted  Recommendation  #1 


We  recommend  the  department  establish  controls  which 
ensure  programmer  access  to  production  programs  and 
data  is  limited  and  logged. 


Initial  Agency  Response 

We  concur.   We  will  limit  programmer's  access.   It  should  be 
noted  that  this  will  increase  the  workload  of  the  security  officer  on 
ACF2  security  procedures. 

Present  Implementation  Status 

This  recommendation  is  not  implemented.  We  found  two 
programmers  with  unlogged  write  access  to  data  in  CJIN  produc- 
tion programs.   Industry  standards  state  programmers  do  not  need 
access  to  system  or  application  libraries,  which  would  provide  a 
means  of  bypassing  controls.   Programmer's  activities  should  be 
restricted  to  test  programs  and  files,  with  access  only  to  those 
programs  and  files  needed  for  a  given  assignment.   Department 
personnel  indicated  this  access  was  necessary  to  perform  mainte- 
nance duties.   We  believe  programmer's  access  to  data  should  be 
suspended,  and  any  access  to  the  files  by  the  programmers  for 
maintenance  purposes  be  logged  and  monitored. 
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Programmers  can  Initiate 
and  Approve  Transactions 


Recommendation  #2 

We  recommend  the  department  establish  policies  and 
procedures  which: 

A.  Prohibit  EDP  personnel  from  initiating  and  authorizing 
registration  and  titling  transactions. 

B.  Require  county  employees  to  seek  user  assistance  from 
the  Registration  and  Titling  Bureau. 


Initial  Agency  Response 

A.  We  concur.   The  Data  Processing  Division  and  the  Motor 
Vehicle  Division  will  develop  procedures  and  policies  to  ensure 
all  titling  and  registration  information  will  be  initiated  by 
county  and  bureau  personnel  only.   This  will,  however,  have  a 
significant  impact  on  the  Titling  and  Registration  Bureau  as 
they  have  the  responsibility  of  adding  and  deleting  user  IDs 
from  the  system. 

B.  We  concur.  A  training  program  has  been  implemented  to  have 
the  counties  go  through  the  Title  and  Registration  Bureau 
trainers  who  will  then  go  through  the  questions  and  problems 
as  they  relate  to  data  changes  needed  for  county  employees  to 
complete  the  transaction. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  not  implemented.  The  entire 
programming  group  has  access  to  R&T  Job  Control  Language 
(JCL).   This  gives  them  the  ability  to  authorize  and  initiate  trans- 
actions, bypassing  the  approval  process.  Industry  standards  suggest 
EDP  personnel  should  be  prohibited  from  initiating  or  authorizing 
transactions.   The  user  department  should  be  responsible  for 
approval  of  transactions,  not  programmers.   Department  personnel 
said  they  believed  the  access  had  been  changed  and  indicated  they 
will  restrict  programmers'  access  to  JCL. 

Part  B  of  this  recommendation  is  implemented.  The  department 
established  policies  and  procedures  requiring  county  employees  to 
seek  user  assistance  from  the  Registration  and  Titling  Bureau. 
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County  employees  we  interviewed  indicated  they  believe  the  user 
assistance  provided  by  the  Registration  and  Titling  Bureau  is 
helpful  and  adequate. 


Electronic  Access  not 

Controlled  Recommendation  #3 


We  recommend  the  department  establish  formal  access 
control  policies  and  procedures  which  require  local 
government  officials: 

A.  To  notify  the  department  when  local  government 
employees  no  longer  need  access  to  department 
applications. 

B.  To  review  current  access  rights  and  determine  if  user 
access  corresponds  to  each  user's  job  responsibilities. 


Initial  Agency  Response 

A.  and  B.   We  concur  and  will  implement  the  necessary  policies 
and  procedures.   The  Title  and  Registration  Bureau  will  develop  a 
policy  that  county  treasurer  users  must  justify  why  they  want  an 
individual  to  have  particular  kinds  of  access. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  implemented.  The  department 
established  policies  and  procedures  to  review  access  annually  for 
R&T  and  r  onthly  for  CJIN.   However,  we  reviewed  access  lists  at 
five  law  enforcement  agencies  and  found  two  employees  having 
access  to  CJIN  over  three  months  after  they  were  no  longer 
employed  by  the  law  enforcement  agency.   Also,  we  reviewed 
access  lists  at  five  county  treasurer's  offices  and  found  one  former 
employee  with  access  to  R&T  over  six  months  after  termination. 
A  weakness  in  this  area  could  allow  terminated  employees  to  enter 
invalid  data  and  process  invalid  transactions.  The  department 
should  continue  to  stress  the  importance  of  prompt  notification  of 
employee  terminations. 

Part  B  of  this  recommendation  is  not  implemented.    We  found 
the  department  reviews  who  has  access,  but  the  department  does 
not  review  what  levels  of  access  individuals  have.   As  a  result,  we 
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Password  Concerns 


found  13  employees  with  more  access  than  they  needed  to  perform 
their  jobs.   A  weakness  in  this  area  increases  the  risk  of  unautho- 
rized modifications  to  files  and  programs.    We  believe  a  periodic 
comparison  of  access  rights  to  job  duties  could  help  eliminate  the 
improper  access. 


Recommendation  #4 

We  recommend  the  department: 

A.  Require  periodic  changing  of  passwords. 

B.  Ensure  future  applications  developed  for  the 
department  encrypt  passwords. 


Initial  Agency  Response 

A.  We  concur.   The  ACF2  program  will  be  implemented  as  soon 
as  possible  to  accomplish  this  recommendation.    Every  three 
months  the  system  will  force  users  to  choose  a  new  password. 

B.  We  concur. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  partially  implemented.   Since 
our  initial  audit,  the  Vehicle  Registration  and  Titling  application 
was  moved  from  System  B  at  the  National  Guard  Armory  to 
System  A  at  the  Mitchell  Building.   The  security  package  on 
System  A  automatically  requires  users  to  change  their  passwords 
every  90  days.  However,  the  CJIN  application  does  not  require 
users  to  change  their  password.   Industry  guidelines  suggest  pass- 
words be  changed  often  enough  so  the  probability  passwords  can 
be  guessed  is  low.   An  interval  of  three  months  or  less  is  recom- 
mended.  Not  requiring  users  to  change  their  passwords  increases 
the  risk  of  unauthorized  access  to  confidential  criminal  justice 
information.   Department  personnel  indicated  the  security  software 
on  System  B  does  not  allow  them  to  require  periodic  password 
changing.   We  found  the  security  software  on  System  B  does  allow 
them  to  require  periodic  password  changing,  but  the  department 
has  chosen  not  to  use  the  security  software  to  protect  CJIN. 
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Part  B  of  this  recommendation  is  not  implemented.   The  depart- 
ment has  not  established  policies  and  procedures  requiring 
encrypted  passwords  in  future  applications.   Industry  guidelines 
indicate  authentication  devices  such  as  a  keyword  or  password 
should  be  known  only  to  the  user.   In  order  to  ensure  account- 
ability for  work  done,  a  password  should  be  known  only  to  the 
individual  responsible  for  that  particular  logon.   Encryption  of 
passwords  helps  ensure  password  confidentiality.   Department 
personnel  indicated  the  present  security  software  on  System  B  does 
not  have  password  encryption  capabilities. 


Contingency  Planning 


Recommendation  #5 

We  recommend  the  department: 

A.  Establish  a  formal  contingency  plan  to  comply  with 
guidelines  for  agencies  specified  in  section  1-0240.00, 
MOM. 

B.  Periodically  test  the  contingency  plan. 


Initial  Agency  Response 

A.  We  concur.   The  department  views  this  recommendation  as  one 
that  is  very  important  but  also  one  that  will  take  a  very  signifi- 
cant amount  of  resources  and  time  to  accomplish.   We  will 
begin  the  planning  process  as  soon  as  possible  to  implement 
this  recommendation. 

B.  We  concur. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  not  implemented.  The  depart- 
ment has  not  developed  a  formal  contingency  plan.   Department 
personnel  indicated  they  are  waiting  for  test  results  from  the  state 
disaster  recovery  plan  to  determine  the  approach  they  will  take  in 
establishing  a  contingency  plan.  The  department  has  developed 
and  tested  some  disaster  recovery  procedures  for  the  CJIN 
application.   However,  the  department  must  establish  recovery 
procedures  to  ensure  timely  recovery  of  operations  as  outlined  in 

Page  11 


Chapter  II 
Recommendation  Status 


section  1-0240.00,  MOM.   These  guidelines  indicate  agencies 
should  document  backup  recovery  procedures,  make  provisions  for 
backup  hardware,  provide  a  detailed  definition  of  responsibilities 
for  each  organizational  unit,  and  identify  potential  disasters  and 
their  impact.   If  a  breakdown  occurs,  knowledgeable  personnel 
may  not  be  available  to  restore  applications  to  operating  capacity. 


Part  B  of  this  recommendation  is  not  implemented.   Since  part 
A  has  not  been  implemented,  this  recommendation  is  not  applicable 
at  this  time. 


Application  Controls 


In  our  initial  audit,  we  reviewed  application  controls  related  to  the 
Criminal  Justice  Information  Network  (CJIN),  which  includes  Hot 
File  and  Criminal  History  applications,  and  the  Registration  and 
Titling  application.  These  applications,  as  well  as  each  recom- 
mendation and  its  related  implementation  status,  are  summarized  in 
the  following  sections. 


Criminal  Justice  Infor- 
mation Network 


The  CJIN  Hot  File  application  contains  active  information  on 
outstanding  warrants,  missing  persons,  and  stolen  property.   For 
instance,  when  a  patrolman  makes  a  traffic  stop,  he  notifies  the 
local  dispatcher  who  checks  the  Hot  File  database  records  to 
determine  if  the  person  is  wanted  or  the  vehicle  stolen. 
Dispatchers  input  such  information  as  soon  as  it  is  available,  and 
the  database  is  updated  immediately  upon  entry. 

The  Criminal  History  application  contains  information  on  arrests 
and  convictions.   Law  enforcement  personnel  at  the  local  agencies 
send  fingerprint  cards  to  the  department's  Criminal  History 
Records  Program.   Program  personnel  input  the  information  onto 
the  application  directly  from  the  fingerprint  cards.   Fingerprint 
cards  contain  information  about  the  arrested  person  such  as 
physical  characteristics  and  aliases.   In  addition,  the  charges  filed, 
arrest  date,  warrant  date,  and  case  numbers  are  also  on  the  cards. 
Subsequently,  courts  are  required  to  submit  arrest  dispositions  to 
the  department.   The  application  is  used  to  track  criminal  activity 
and  to  provide  background  information  for  employment  purposes. 

We  examined  controls  over  the  two  separate  criminal  justice 
applications.   Access  to  the  Criminal  History  and  Hot  File  applica- 
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tions  is  controlled  by  CJIN  services.   Access  concerns  we  noted,  as 
well  as  our  concern  related  to  the  destruction  of  confidential 
information,  apply  to  both  applications. 


Criminal  History  and  Hot 

File  Management  Recommendation  #6 


We  recommend  the  department: 

A.  Establish  minimum  standards  for  background  checks 
on  CJIN  users  and  require  documentation  of  the 
background  checks. 

B.  Enforce  certification  policies  which  require  the 
department  to  terminate  user  access  if  certification 
requirements  are  not  met. 


Initial  Apency  Response 

A.  We  concur.   Since  the  audit  began,  NCIC  has  written  a  new 
Security  Policy  Document  that  requires  agencies  to  submit 
completed  applicant  fingerprint  cards  to  the  FBI  identification 
division  through  the  state  identification  bureau.   Therefore, 
minimum  standards  are  in  place  that  will  require  documenta- 
tion. It  should  be  noted  that  this  will  be  a  very  big  project  that 
will  stretch  our  limited  resources. 

B.  We  concur.   We  would  note  that  we  have  followed  up  on  the 
comments  made  by  the  auditors  with  local  agencies  that  were 
audited.  We  contacted  each  agency  and  spoke  with  the 
Terminal  Agency  Coordinator  (TAC)  in  all  cases.   When 
agencies  were  being  audited  by  EDP  auditors,  in  three  out  of 
seven  agencies,  the  TAC  was  not  interviewed  or  consulted. 
The  TACs  are  the  persons  in  the  agency  responsible  for  ensur- 
ing that  CJIN/NCIC  policy  is  followed  in  the  agency.   Since 
TACs  were  not  consulted  by  the  EDP  auditors  in  all  cases,  this 
may  explain  some  discrepancies.   We  would  also  note  that  over 
500  active  sign-ons  have  been  removed  from  the  CJIN  system 
since  the  onset  of  the  CJIN  workbook  certification  program  in 
September,  1988,  due  to  failure  to  certify  or  to  certify  in  a 
timely  manner.   Also,  the  certification  workbook  done  in 
Montana  is  a  very  extensive  and  complete  training  program  of 
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the  entire  CJIN  and  NCIC  networks.   This  workbook  spans 
about  100  pages  and  is  Police  Officer  Standards  Training 
(POST)  certified  for  35  to  66  credit  hours,  with  the  majority  of 
operators  certifying  at  the  66  credit  hours  level. 

The  recertification  program  is  POST  certified  for  8  credit 
hours.    However,  this  is  not  the  only  means  by  which  operators 
are  made  aware  of  new  procedures.   We  provide  on-line  news 
files,  TAC  conferences,  special  mailings  and  system  messages, 
and  regional  schools  that  inform  users  of  new  changes. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  not  implemented.  The  depart- 
ment has  not  established  minimum  standards  for  performing  back- 
ground checks.   We  believe  the  department  should  establish 
standards  for  background  checks.  In  two  of  the  law  enforcement 
agencies  we  visited,  we  found  eight  of  sixteen  department 
personnel  did  not  have  background  checks  performed.   In  two 
other  law  enforcement  agencies  we  visited,  we  found  they  did  not 
document  background  checks.   CJIN  guidelines  state  agencies 
having  access  to  criminal  history  data  must  perform  background 
checks  on  all  CJIN  users.   By  not  performing  background  checks, 
law  enforcement  agencies  could  allow  convicted  criminals  access  to 
confidential  information. 

Part  B  of  this  recommendation  is  implemented.   We  believe  the 
department  is  now  enforcing  certification  policies  which  require  the 
department  to  terminate  user  access  if  certification  requirements  are 
not  met.   The  department  gave  us  examples  of  individuals  whose 
access  had  been  terminated  because  they  had  not  met  the  required 
certification  procedures.   We  also  found  terminal  operators  at  the 
law  enforcement  agencies  we  visited  were  all  currently  certified. 


Destruction  of  Confiden- 
tial Information 


Recommendation  #7 

We  recommend  the  department  establish  formal  policies 
and  procedures  for  protection  and  destruction  of 
confidential  information. 
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Initial  Agency  Response 

We  concur.   It  should  be  noted  that  in  the  CJIN  offices  in  Helena 
the  confidential  material  is  maintained  in  a  secure,  locked  environ- 
ment.  No  unauthorized  personnel  have  access  to  the  CJIN  Services 
room.    At  any  time  that  the  room  is  unlocked,  there  is  always  a 
CJIN  employee  in  the  room.    In  the  CJIN  Helena  office  we  will 
purchase  a  wastebasket  shredder  for  daily  use  of  staff.   We  will 
also  highly  recommend  that  local  agencies  put  a  priority  on  shred- 
ding confidential  material  and  incorporate  this  recommendation  into 
our  training  and  auditing  function. 

Present  Implementation  Status 

This  recommendation  is  implemented.  The  department  has 

established  formal  policies  and  procedures  for  protection  and 

destruction  of  confidential  information.   We  found  these  policies 

and  procedures  have  been  put  in  place  at  CJIN  terminals  at  the 

main  office  in  Helena  and  at  the  local  law  enforcement  agencies  we 

visited. 


Hot  File  Issues 
Untimely  Entry  of  Data 


Recommendation  #8 

We  recommend  the  department: 

A.  Establish  definitions  and  procedures  for  the  timely 
entry  of  hot  file  information. 

B.  Communicate  definitions  and  procedures  to  local  law 
enforcement  agencies. 


Initial  Agency  Response 

A.  and  B.   We  concur  that  timely  entry  of  information  is  important 
but  believe  that  state  and  federal  law  may  need  to  be  amended  to 
provide  clearer  definitions. 

During  the  same  time  period  that  the  EDP  audit  was  being  per- 
formed, NCIC  performed  its  biennial  audit  of  Montana.  The 
NCIC  audit  is  comprehensive  and  thoroughly  examines  all  NCIC 
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policy  issues  at  the  state  and  user  level.   NCIC  performed  on-site 
audits  of  eight  local  agencies  that  represent  the  biggest  users  of  the 
network.   NCIC  auditors  reviewed  101  Wanted  Person  records, 
101  Stolen  Vehicle  records  and  29  Missing  Person  records.   The 
NCIC  audit  results  report,  "All  records  reviewed  had  been  entered 
in  a  timely  manner." 

We  have  discussed  the  timeliness  issues  with  the  attorney  for 
NCIC,  Mike  Miller.   Mr.  Miller  said  that  NCIC  has  no  real  time 
requirement  for  agencies  to  enter  records  into  the  system  since 
record  entry  is  voluntary.   He  also  discussed  the  benefits  of  timely 
record  entry,  and  hoped  that  these  benefits  would  cause  agencies  to 
develop  policy  that  would  require  timely  entry. 

Five  Montana  Sheriffs  offices  and  many  police  departments  are 
not  connected  to  CJIN  terminals,  and  do  not  enter  any  records. 

The  audit  reports  that  some  warrants  were  not  entered  for  up  to 
1-1/2  years.  This  delay  appears  to  be  due  to  the  lack  of  personnel 
resources  in  local  police  and  sheriffs  offices  to  enter  all  warrants 
into  CJIN/NCIC.   Some  agencies  have  developed  a  policy  that  no 
misdemeanor  warrants  would  be  entered  into  the  system.   This 
does  not  appear  to  constitute  untimely  record  entry. 

There  is  state  law  that  requires  the  immediate  entry  of  missing 
juvenile  records  and  stolen  vehicles  into  the  law  enforcement 
telecommunications  system.   However,  these  state  laws  do  not 
define  "immediate."   Legislation  may  be  necessary  to  clarify  this. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  not  implemented.   CJIN 

services  has  not  established  definitions  and  procedures  for  the 
timely  entry  of  hot  file  information.   In  addition,  the  department 
did  not  seek  legislation  or  establish  administrative  rules  providing 
definitions  and  procedures  for  the  timely  entry  of  information. 
CJIN  guidelines  do  indicate  maximum  system  effectiveness  requires 
prompt  record  entries.   We  found  30  of  45  wanted  person  records 
were  entered  more  than  2  days,  up  to  a  maximum  of  245  days, 
after  the  warrant  was  issued.   We  found  3  of  49  stolen  vehicle 
records  were  entered  more  than  7  days,  up  to  a  maximum  of  42 
days,  after  the  date  of  complaint.   In  addition,  we  found  7  of  46 
missing  person  records  were  entered  more  than  a  day  after  the  date 
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of  complaint  up  to  a  maximum  of  5  days.   Based  upon  interviews, 
local  law  enforcement  personnel  believe  they  enter  data  in  a  timely 
manner.   If  CI  IN  services  would  establish  definitions  and 
procedures  for  the  timely  entry  of  hot  file  information,  local  law 
enforcement  personnel  would  have  a  way  of  measuring  perfor- 
mance. 

Part  B  of  this  recommendation  is  not  implemented.    Since  part 
A  has  not  been  implemented,  this  recommendation  is  not  applicable 
at  this  time. 


Data  Integrity 


Recommendation  #9 

We  recommend  the  department: 

A.  Ensure  validation  procedures  are  followed  by  all  user 
agencies  through  improved  training  and  on-site 
reviews. 

B.  Stress  the  importance  of  double-checking  procedures 
and  recommend  alternatives  for  user  agencies  as 
appropriate. 


Initial  Agency  Response 

A.  and  B.   We  concur.   We  have  followed  up  with  local  agencies 
and  will  continue  to  do  so.   Our  follow-up  indicates  that  two 
agencies  did  not  fully  meet  the  validation  process  in  regard  to  one 
specific  file  (Ravalli  county-vehicle  file,  and  Flathead  County 
vehicle  file).   Additional  follow-up  with  agencies  revealed  that  two 
agencies  cited  for  not  following  the  validation  procedures,  actually 
were  but  since  the  TAC  was  not  consulted  in  the  agency,  informa- 
tion was  incorrectly  reported.   In  another  instance,  one  agency 
initially  indicated  that  they  validated  their  wanted  person  records  all 
at  once,  once  a  year.  This  meets  the  NCIC  validation  policy.  This 
agency  in  a  follow-up  has  indicated  to  us  that  they  actually  review 
records  daily  with  the  courts  via  a  listing.   Two  agencies  also 
indicated  that  they  purged  records  when  they  can  no  longer  be 
validated.  This  had  been  incorrectly  reported  on  the  EDP  work- 
papers provided. 
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Present  Implementation  Status 

Part  A  of  this  recommendation  is  not  implemented.   We  deter- 
mined the  department  has  improved  the  user  training  related  to 
CJIN  validation  procedures  but  still  does  not  perform  on-site 
reviews.   CJIN  guidelines  state  failure  to  validate  records 
jeopardizes  the  integrity  of  the  system.    Department  personnel 
indicated  they  would  like  to  be  able  to  perform  on-site  reviews  and 
provide  additional  training  related  to  validations,  but  are  restricted 
by  budget  and  personnel  limitations.    We  recommend  the  depart- 
ment provide  training  regarding  validation  procedures  and  ensure 
those  procedures  are  followed  by  all  user  agencies  through  on-site 
reviews. 

Part  B  of  this  recommendation  is  not  implemented.    We  found 
that  although  the  department  has  provided  training  through 
manuals,  conferences,  and  other  forms  of  communicating  to  stress 
the  importance  of  double-checking  procedures  to  local  law  enforce- 
ment agencies  and  have  recommended  alternatives,  problems  still 
exist.   When  we  visited  the  five  local  law  enforcement  agencies, 
we  found  one  agency  is  not  performing  double-checking  of  entries. 
CJIN  guidelines  state  the  accuracy  of  CJIN/NCIC  records  must  be 
double-checked  by  a  second  party.  Department  personnel  indicated 
they  believe  having  CJIN  procedures  as  a  guideline  is  enough.  We 
believe  additional  on-site  reviews  and  other  enforcement  measures 
are  necessary  to  improve  agency  compliance. 


Terminal  Agency  Coordi- 
nator (TAC) 


Recommendation  #10 

We  recommend  the  department  clearly  define  the  TACs 
role  in  the  CJIN  network  and  stress  the  importance  of  that 
role  to  local  agencies. 


Initial  Agency  Response 

We  concur.  The  role  of  TAC  is  stressed  by  the  Department  of 

Justice  through  agency  User  Agreements,  TAC  conferences,  a 

special  TAC  training  workbook  endorsement  (8  POST  hours)  and 

by  special  mailings.   We  will  continue  to  stress  the  importance  of 

this  function  in  our  communications  and  training  with  local 

agencies. 
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Present  Implementation  Status 

This  recommendation  is  implemented.   The  department  developed 
a  list  of  the  roles  and  responsibilities  of  the  TAC.   The  department 
discussed  the  roles  and  responsibilities  of  the  TAC  during  the  last 
TAC  conference.   We  found  the  list  clearly  defines  the  TAC's  role 
in  CJIN. 


Criminal  History  Issues 

Records  Not  on  the 
System 


Recommendation  #11 

We  recommend  the  department  work  with  local  law 
enforcement  agencies  to  develop  recommended  fingerprint 
card  procedures  designed  to  improve  data  integrity  for  the 
Criminal  History  database. 


Initial  Agency  Response 

We  concur.   The  Criminal  History  Records  Program  (CHRP)  had 
previously  identified  these  problems.   We  recently  obtained  a 
Federal  Bureau  of  Justice  grant  to  provide  training  and  develop 
procedures  to  improve  data  integrity.   The  grant  has  enabled  CHRP 
to  visit  many  local  agencies  to  discuss  fingerprint  submissions  and 
the  development  of  new  procedures  and  forms.   Training  has  been 
provided  in  26  regional  schools  related  to  enhancing  the  quality  of 
fingerprint  record  submissions.   As  a  result,  CHRP  has  prepared 
new  administrative  rules  to  standardize  and  clarify  needed  criminal 
history  information,  proper  filling  out  of  the  fingerprint  card,  and 
an  incident  based  tracking  number  called  the  Montana  Arrest 
Numbering  System  (MANS)  which  is  a  number  assigned  at  the 
time  of  arrest/booking  that  is  placed  on  all  documentation  dealing 
with  that  arrest.   The  new  disposition  form  will  help  ensure  proper 
records.   A  manual  was  developed  that  provides  clear  instruction 
on  what  is  needed  on  the  forms. 

The  new  system  will  enable  the  CHRP  to  monitor  arrests  and 
records  received  by  us.  The  last  legislative  session  gave  us  the 
authority  to  audit  our  records  against  those  of  local  agencies. 
These  changes  will  enable  us  to  identify  agencies  that  are  not 
submitting  criminal  records  to  the  CHRP. 
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The  MANS  number  and  rap  sheets  (which  are  generated  when  a 
new  criminal  history  record  is  entered)  will  address  part  of  the 
verification  concerns.   As  audits  are  conducted  we  will  be  able  to 
work  with  individual  agencies  to  comply  with  criminal  history 
records  needs.   Although  all  the  addressed  control  procedures  may 
not  be  reasonable  to  meet,  we  will  work  towards  improving  data 
base  controls.   Plans  are  currently  being  implemented  to  improve 
many  of  these. 

Present  Implementation  Status 

This  recommendation  is  implemented.  The  department  has 
developed  fingerprint  card  procedures  designed  to  improve  data 
integrity  for  the  Criminal  History  database.   We  found  the  depart- 
ment established  procedures  as  described  in  its  initial  response. 
The  department  has  contacted  local  law  enforcement  agencies  and 
trained  law  enforcement  officials  on  the  use  of  the  fingerprint  card 
procedures  established  by  the  department. 


Disposition  Information 
Incorrect 


Recommendation  #12 

We  recommend  the  department  establish  procedures 
which: 

A.  Require  supporting  documentation  for  all  dispositions. 

B.  Ensure  disposition  information  on  the  system  is 
complete  and  accurate. 


Initial  Agency  Response 

A.  and  B.   We  concur.   Current  procedures  demand  that 
documentation  be  present  for  any  disposition  information  entered, 
also  the  new  disposition  forms  will  help  considerably  with  this 
issue.   When  a  non-criminal  justice  agency  requests  a  records 
check  the  record  is  not  released  unless  we  have  proper  disposition 
information,  if  we  do  not  have  the  disposition  we  contact  the  court. 

To  send  out  a  notice  of  all  missing  dispositions  is  possible,  but  I  do 
not  believe  the  response  from  the  courts  and  law  enforcement 
would  be  encouraging  as  they  do  not  have  the  man  power  to 
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provide  the  infor      aon  needed.    We  will  continue  to  work  on  this 
in  our  training  and  audit  procedures. 

The  new  dispositions  form,  the  MANS  system,  and  training  should 
help  to  eliminate  problems  in  the  future.   Our  goal,  taking  into 
account  funding  and  personnel  is  to  improve  the  future  incoming 
records  as  much  as  possible.   Existing  records  will  continue  to  be 
worked  on  as  time  permits. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  implemented.   Department 
personnel  indicated  they  have  established  procedures  to  ensure  they 
received  all  of  the  dispositions  through  the  MANS  numbering 
system.   We  found  the  MANS  system  is  in  place  and  should  ensure 
all  dispositions  are  received  and  are  supported  by  approved  docu- 
mentation. 

Part  B  of  this  recommendation  is  being  implemented.  The 

department  is  in  the  process  of  systematically  reviewing  all  of  the 
cases  on  the  system,  and  updating  disposition  information.  How- 
ever, this  is  a  time-consuming  project,  and  will  not  be  completed 
for  some  time  because  there  are  over  125,000  files  to  review.  As 
a  result,  of  47  felony  arrests  we  tested,  we  found  15  did  not  have 
dispositions  sent  to  the  Identification  Bureau. 


Inaccurate  Data  in  the 

Files  Recommendation  #13 


We  recommend  the  department  develop  input  verification 
procedures  to  test  the  accuracy  of  criminal  history  data. 


Initial  Agency  Response 

We  concur.  Procedures  are  being  implemented  to  do  random  spot 
checking,  by  this  we  will  be  able  to  identify  if  there  is  a  habitual 
problem  with  accurate  entry.   Spot  checking  is  the  only  method  we 
would  be  able  to  incorporate.   Checking  all  entered  information 
would  be  impossible  to  accomplish  with  existing  funding  and  staff. 
Some  agencies  verifying  entered  data  at  the  time  they  receive  the 
rap  sheets. 
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Present  Implementation  Status 

This  recommendation  is  implemented.   The  department  has 

established  spot  check  procedures  as  indicated  in  its  initial 

response. 


Interagency  Relations 

Relationship  with  Local 
Law  Enforcement 
Agencies 


Recommendation  #14 

We  recommend  the  department: 

A.  Adopt  rules  for  enforcement  of  established  criminal 
justice  policies  as  specified  in  section  44-5-213(7), 
MCA. 

B.  Perform  on-site  reviews  of  larger  criminal  justice 
agencies. 


Initial  Agency  Response 

A.  We  concur  and  will  examine  the  options  available  to  the 
Department  of  Justice  for  enforcement  of  established  criminal 
justice  policies. 

B.  We  concur.   However,  we  would  note  that  there  is  only  one 
FTE  training  officer  in  this  program  and  taking  on  additional 
tasks  would  be  difficult.   Also,  since  the  task  of  auditing  is 
very  different  than  that  of  a  training  officer,  combining  the  two 
tasks  may  lead  to  difficulties. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  implemented.  The  department 
established  administrative  rules  in  sections  23.12.102  to  23.12.106, 
ARM,  related  to  enforcement  of  criminal  justice  policies  as  speci- 
fied in  section  44-5-213(7),  MCA.   The  rules  were  adopted  on 
April  16,  1993.   The  department  worked  with  many  different 
people  in  developing  and  soliciting  comments  on  the  administrative 
rules.   The  department  also  offered  training  to  people  responsible 
for  the  submission  of  fingerprint  cards  and  disposition  information. 
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Part  B  of  this  recommendation  is  not  implemented.   Department 
personnel  indicated  they  still  do  not  perform  on-site  reviews  of 
criminal  justice  agencies.    As  noted  in  the  original  audit,  inaccurate 
and  incomplete  information  available  to  law  enforcement  personnel 
could  result  in  improperly  detaining  innocent  persons,  endangering 
law  enforcement  personnel,  and  delaying  the  apprehension  of  guilty 
persons.   Department  personnel  indicated  they  would  like  to  be 
able  to  perform  on-site  reviews,  but  they  believe  they  do  not  have 
the  time  or  personnel.   The  department  should  still  consider 
conducting  on-site  reviews  of  the  larger  criminal  justice  agencies  to 
identify  problem  areas  and  improve  the  integrity  of  the  data. 


Relationship  with  Courts 


Recommendation  #15 

We  recommend  the  Department  of  Justice  and  the 
Judiciary  work  jointly  to  improve: 

A.  Compliance  with  state  statutes  regarding  criminal 
justice  information. 

B.  Communication  and  cooperation  between  the  agencies. 


Initial  Agency  Response 

A.  and  B.   We  concur.   We  will  contact  the  Judiciary  to  examine  a 
structure  for  better  communications.    CHRP  has  already 
approached  part  of  improving  communications  by  adoption  of  the 
Administrative  Rules  23.12.102  -  23.12.106.   These  disposition 
rules  were  developed  in  cooperation  with  courts,  county  attorneys 
and  law  enforcement.  They  have  been  given  approval  by  the 
Montana  Supreme  Court.   We  will  strive  to  maintain  contact  with 
these  entities  in  the  future. 

Judiciary's  Response: 
We  concur. 

A.  The  Commission  on  Courts  of  Limited  Jurisdiction  and  the 
Judicial  Education  Committee  will  add  "Statutory  Compliance 
in  Reporting  Criminal  Dispositions"  to  the  educational  agenda 
of  the  next  available  conference.   Additionally,  we  will  request 
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that  the  Clerks  of  Court  address  this  topic  at  their  next  avail- 
able conference. 

B.   The  Judiciary  encourages  communication  and  cooperation  with 
all  branches  of  government.   The  Commission  on  Courts  of 
Limited  Jurisdiction  and  the  Judicial  Education  Committee  are 
always  open  to  input  from  the  Department  of  Justice. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  implemented.  The  department 
has  established  a  liaison  to  work  with  the  Judiciary.   The  liaison 
has  worked  with  various  people  from  the  Judiciary  to  ensure 
dispositions  and  fingerprint  cards  are  processed  in  compliance  with 
state  statutes.   The  liaison  indicated  a  number  of  courts  were 
surprised  when  they  were  informed  about  the  state  law  requiring 
dispositions  be  sent  to  the  state  repository  within  15  days.   We 
found  the  liaison  continues  to  work  with  many  individuals  from  the 
Judiciary  to  improve  compliance  with  state  statutes. 

Part  B  of  this  recommendation  is  implemented.   We  found 
communication  and  cooperation  between  the  department  and  the 
Judiciary  has  improved  through  use  of  the  liaison.   In  addition, 
there  have  been  many  hours  spent  on  training  and  development  of 
procedures  as  described  in  the  administrative  rules. 


Vehicle  Registration  and 
Titling 


The  Department  of  Justice  uses  the  Vehicle  Registration  and  Titling 
(R&T)  application  for  titling,  registering,  and  tracking  over 
900,000  vehicles  in  Montana.   The  application  contains  information 
regarding:   vehicle  titles,  vehicle  registration,  title  and  registration 
fees,  and  property  tax  collections.   The  application  processes  this 
information  and  calculates  amounts  counties  must  remit  to  the  state. 


The  R&T  application  is  an  on-line  application,  developed  by  the 
department,  which  permits  immediate  update  of  registration  and 
title  information.   County  employees  begin  the  title  process  by 
recording  initial  title  information  and  collecting  fees.   Title  docu- 
mentation is  forwarded  to  the  Registration  and  Titling  Bureau  in 
Deer  Lodge.   Bureau  personnel  review  the  title  application,  input 
additional  information,  and  finally  print  and  mail  the  completed 
title.    In  comparison,  county  personnel  input  vehicle  registration 
data,  collect  fees,  and  issue  license  plates  or  renewal  stickers. 
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In  our  original  audit,  we  performed  an  application  review  of  the 
R&T  application.   During  our  follow-up,  we  examined  existing 
input,  processing,  and  output  controls.   We  visited  five  county 
offices  to  observe  operations  and  review  controls.   In  addition,  we 
performed  audit  work  at  the  Motor  Vehicles  Division  in  Helena 
and  the  Registration  and  Titling  Bureau  in  Deer  Lodge.   The 
following  sections  discuss  the  status  of  our  initial  recommenda- 
tions. 


Titling  Function 

Title  Transmittal  Proce- 
dures not  Established 


Recommendation  #16 

We  recommend  the  department  establish  procedures  to 
ensure  all  title  transactions  are  sent  to  and  received  by  the 
Registration  and  Titling  Bureau. 


Title  Printing 


Initial  Agency  Response 

We  concur  with  the  recommendation.  It  is  a  complex  issue  but  we 
feel  that  by  setting  and  enforcing  additional  policies  and  procedures 
the  problem  of  tracking  title  transactions  can  be  resolved. 

Present  Implementation  Status 

This  recommendation  is  not  implemented.  We  found  the  depart- 
ment did  not  establish  procedures  to  ensure  batches  of  titles  sent  to 
or  from  Deer  Lodge  are  properly  delivered.   Industry  guidelines 
state  movement  of  data  between  one  processing  step  and  another  or 
between  departments  should  be  controlled.   A  batch  of  titles  sent  to 
Deer  Lodge  could  be  lost  in  the  mail  and  go  unnoticed.   We 
believe  the  department  should  establish  procedures  to  ensure  all 
title  transactions  are  sent  and  received  by  the  Registration  and 
Titling  Bureau. 


Recommendation  #17 

We  recommend  the  department  document  title  printing 
procedures. 
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Registration  Function 


Data  Integrity 


Initial  Agency  Response 

We  concur.   Documentation  of  title  printing  has  been  created  and 

implemented. 

Present  Implementation  Status 

This  recommendation  is  implemented.   The  department  has 
established  formal  title  printing  procedures.   We  reviewed  the 
procedures  and  determined  they  were  adequate. 


Recommendation  #18 

We  recommend  the  department: 

A.  Recommend  counties  require  the  registration  of  all 
employee  owned  vehicles  be  done  by  a  supervisor  of 
the  employee. 

B.  Coordinate  with  the  Department  of  Commerce  in 
reviewing  computer  access  and  management  controls. 


Initial  Agency  Response 

A.  We  concur.   County  officials  will  be  strongly  advised  that 
employees  must  not  register  their  own  vehicle.   We  under- 
stand, however,  that  smaller  counties  with  a  very  small  staff 
may  have  some  difficulties  in  segregating  these  duties. 

B.  We  concur.   The  Motor  Vehicle  Division  will  offer  our  assis- 
tance to  the  Department  of  Commerce  to  enhance  their  audit 
procedures  of  county  motor  vehicle  offices. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  implemented.   We  found  the 
department  developed  policies  to  recommend  county  officials  not 
register  their  own  vehicles.   However,  in  our  follow-up  we 
reviewed  a  sample  of  25  employees  and  found  7  registered  their 
own  vehicles  in  1994.  Department  personnel  indicated  they  cannot 
dictate  to  counties  that  employees  may  not  register  their  own 
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vehicles,  because  of  limited  county  staff.   However,  we  believe  the 
department  can  require  the  registration  of  all  employee  owned 
vehicles  be  done  by  a  supervisor  of  the  employee.   In  order  to 
ensure  compliance  with  its  policy,  the  department  should  consider  a 
follow-up  on  employees,  similar  to  the  testing  we  performed. 

Part  B  of  this  recommendation  is  not  implemented.   We  found 
the  department  has  contacted  the  Department  of  Commerce 
regarding  audits  of  agencies  under  its  jurisdiction.   However, 
review  of  the  computer  access  and  management  controls  has  not 
been  discussed  between  the  two  agencies. 


Market  Value  less  than 

the  Required  Minimum  Recommendation  #19 


We  recommend  the  department  provide  additional  training 
for  county  employees  to  improve  data  integrity  in  the 
Registration  and  Titling  application. 


Initial  Agency  Response 

We  concur.  We  will  incorporate  this  recommendation  into  our 

training  program  and  will  update  our  training  manual. 

Present  Implementation  Status 

This  recommendation  is  not  implemented.   We  found  the  depart- 
ment has  not  adequately  trained  users  regarding  the  market  value 
field.   The  user  manual  indicates  users  should  not  leave  the  market 
value  field  blank  when  using  an  exemption;  however,  we  found 
over  64,000  transactions  on  the  system  with  the  market  value  field 
blank  or  having  no  value.   We  believe  the  department  should 
provide  additional  training  to  ensure  the  market  value  fields  are 
entered  properly.   In  addition,  a  report  can  be  generated  of  all 
vehicles  with  market  value  less  than  the  minimum.    The  department 
should  use  these  reports  to  ensure  compliance  with  its  policies. 
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On-Line  Edits 


Recommendation  #20 

We  recommend  the  department: 

A.  Implement  market  value  edits  which  ensure 
registration  transactions  are  valid  and  market  values 
recorded  comply  with  state  law. 

B.  Review  other  R&T  application  edits  for  effectiveness. 


Initial  Agency  Response 

A.  and  B.   We  concur.   We  would  note  that  this  will  require  major 
program  changes.   Until  these  system  changes  can  be  made,  we 
will  provide  specific  training  of  county  personnel  and  continued 
monitoring  of  transactions. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  not  implemented.  The  depart- 
ment has  not  implemented  market  value  edits  which  ensure  regis- 
tration transactions  are  valid  and  market  values  recorded  comply 
with  state  law.   County  employees  can  input  any  numeric  value  in 
as  the  value  of  a  vehicle.   Section  61-3-503,  MCA,  states  a  vehicle 
is  to  be  depreciated  until  a  minimum  value  of  $500  is  reached.  If 
the  value  is  less  than  $500  the  vehicle  market  value  should  be  listed 
as  $500.   During  our  review,  we  found  72,815  vehicles  valued  at 
less  than  $500.  We  sampled  ten  of  those  vehicles  and  found  over 
$750  in  property  taxes  had  not  been  paid  because  the  market  value 
was  input  incorrectly.  The  department  should  implement  market 
value  edits  which  ensure  registration  transactions  are  valid  and 
market  values  recorded  comply  with  state  law. 

Part  B  of  this  recommendation  is  not  implemented.  The  depart- 
ment has  not  reviewed  the  edits  built  into  the  system  since  our 
audit.  As  a  result,  the  department  still  has  edits  that  do  not  func- 
tion properly.  In  addition  to  accepting  market  value  amounts  less 
than  the  amounts  required  by  law,  the  R&T  application  has  other 
edits  that  are  not  effective.   For  example,  the  expiration  date  field 
will  accept  dates  in  the  future  beyond  the  current  registration  year. 
The  system  should  verify  all  significant  codes  used  to  record  data. 
Without  proper  edits,  invalid  data  may  be  entered  and  processed. 
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Management  Concerns 


Reports  not  Reviewed 


Recommendation  #21 

We  recommend  the  department: 

A.  Instruct  the  county  supervisors  how  to  use  and  review 
the  reports. 

B.  Emphasize  to  supervisors  the  importance  of  monitoring 
fee  changes  and  voided  receipts. 


Initial  Agency  Response 

A.  and  B.   We  concur.   Using  and  reviewing  reports  will  be 
highlighted  in  the  training  manual  and  emphasized  in  the  training  of 
county  employees. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  implemented.  The  department 
revised  the  users  manual  to  include  procedures  on  how  to  use  and 
review  reports.   We  found  the  manual  gives  adequate  instructions 
to  the  county  supervisors  on  how  to  use  and  review  reports.  In 
addition,  county  supervisors  stated  the  department  provided  them 
with  additional  training,  and  they  are  utilizing  the  reports. 

Part  B  of  this  recommendation  is  implemented.  The  department 
has  emphasized  to  the  counties  the  importance  of  reviewing  reports 
to  monitor  fee  modifications  and  voided  receipts.   We  found  the 
department  included  a  special  section  in  the  new  users  manual  to 
discuss  the  use  of  reports  to  monitor  fee  modifications  and  voided 
receipts.   In  addition,  we  found  county  supervisors  were  utilizing 
the  reports. 
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Segregation  of  Duties 


Contingency  Planning 


Recommendation  #22 

We  recommend  the  department  coordinate  with  the 
Department  of  Commerce  to  help  local  government 
agencies  establish  effective  controls  over  the  Registration 
and  Titling  function. 


Initial  Agency  Response 

We  concur.  However,  it  must  be  understood  that  in  a  majority  of 
the  smaller  counties  with  a  very  small  staff  there  may  be  no  other 
person  to  perform  these  functions. 

Present  Implementation  Status 

This  recommendation  is  not  implemented.  Through  interview 
with  county  supervisors,  we  found  the  Department  of  Justice  and 
the  Department  of  Commerce  have  not  cooperated  to  give  local 
government  agencies  guidance  regarding  controls  over  the  registra- 
tion and  titling  function.   Department  of  Commerce  personnel 
indicated  they  currently  do  not  review  management  controls  or 
computer  access.  The  department  should  coordinate  with  the 
Department  of  Commerce  and  other  local  government  auditors  to 
help  counties  establish  effective  controls  over  the  Registration  and 
Titling  function. 


Recommendation  #23 

We  recommend  the  department  develop  formal  disaster 
recovery  procedures  for  the  Registration  and  Titling 
application. 


Initial  Agency  Response 

We  concur.   The  County  Motor  Vehicle  Computer  Committee  is 
studying  the  matter  at  this  time.   Separate  single  registration 
receipts  have  been  and  will  continue  to  be  provided  for  use  in  a 
typewriter  when  the  system  is  down.   Counties  have  been  and  will 
continue  to  be  trained  in  the  use  of  hand-typed  receipts. 
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Present  Implementation  Status 

This  recommendation  is  implemented.  The  department  has 
established  procedures  to  follow  when  the  R&T  application  is 
down.   The  procedures  they  developed  include  hand  typing  regis- 
tration receipts,  and  entering  the  information  into  the  Vehicle 
Registration  and  Titling  Application  when  the  application  is 
restored. 


Processing  Concerns 


Fee  Table  Testing 


Recommendation  #24 

We  recommend  the  department  establish  policies  and 
procedures  requiring  a  periodic  review  of  registration  fee 
tables. 


Initial  Agency  Response 

We  concur.   Department  personnel  other  than  the  person  creating 
the  tables  will  review  the  tables  on  a  regular  basis.   The  problem 
with  the  GVW  table  for  small  trailers  will  be  eliminated  completely 
when  House  Bill  No.  651  goes  into  effect  January  1,  1994  —  as  it 
exempts  all  trailers  from  carrying  GVW.   Until  then,  the  problem 
will  be  solved  temporarily  with  a  system  fix  and/or  clarification  of 
small  trailer  GVW  to  law  enforcement  agencies. 

Present  Implementation  Status 

This  recommendation  is  implemented.  The  department  has 
established  policies  and  procedures  requiring  a  periodic  review  of 
registration  fee  tables.   During  our  review,  we  found  trainers 
taking  copies  of  the  fee  table  from  the  system  and  checking  with 
county  personnel  to  determine  if  the  fee  table  information  is 
accurate  for  the  county.   The  trainer  checks  the  fees  on  the  system 
to  the  support  provided  by  the  county. 
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Output  Controls 


Recommendation  #25 

We  recommend  the  department: 

A.  Revise  the  GVW  report  or  provide  counties  with  an 
alternate  report  which  accurately  reports  state 
revenue. 

B.  Review  and  test  output  reports  to  ensure  field  widths 
on  the  fee  totals  report  prevent  truncating  of  amounts. 


Initial  Agency  Response 

A.  We  concur.   The  Department  of  Transportation,  Motor  Carrier 
Services  Division,  has  indicated  that  they  do  not  need  what 
used  to  be  called  the  GVW  report.  The  Motor  Carrier  Services 
Division  indicated  at  the  county  treasurers'  convention  in 
September  1993  that  the  Department  of  Transportation  no 
longer  needs  the  report  because  the  Fee  Totals  Report  provides 
the  same  information.   We  will  urge  the  Department  of  Trans- 
portation to  ask  for  that  report. 

B.  We  concur.   The  truncating  of  amounts  is  in  the  process  of 
being  corrected. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  implemented.  The  department 
has  provided  an  alternate  report  which  accurately  reports  state 
GVW  revenue.  Department  personnel  indicated  the  report  they 
currently  use  was  already  available  and  gives  county  personnel 
more  information  than  just  GVW  information.   County  personnel 
indicated  they  believe  the  report  they  currently  use  to  submit  funds 
to  the  state  is  more  accurate  and  easier  to  use  than  the  old  GVW 
report. 

Part  B  of  this  recommendation  is  implemented.  The  department 
reviewed  output  reports  to  ensure  field  widths  on  the  fee  totals 
report  prevent  truncating  of  amounts.   At  the  five  counties  we 
visited,  we  found  no  truncated  amounts  on  the  fee  totals  report. 
County  personnel  indicated  although  it  was  a  problem  in  the  past, 
they  believe  the  problem  has  been  corrected. 
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Chapter  II 
Recommendation  Status 


Interagency  Relationship 


Recommendation  #26 

We  recommend  the  county  motor  vehicle  computer 
committee: 

A.  Establish  central  direction  and  controls  designed  to 
improve  data  integrity,  application  management,  and 
county  controls  related  to  the  R&T  application. 

B.  Provide  a  means  for  improving  communication  and 
cooperation  between  state  and  local  agencies. 


Initial  Apency  Response 

We  concur.   Our  concurrence  is  based  on  our  understanding  of  the 
recommendation  to  mean  that  the  committee  should  be  more 
directly  involved  in  managing  the  computer  system  at  the  county 
level.   Management  would  include  the  endorsement  of  edits,  office 
procedures  and  practices,  supervisory  controls,  constraints  on 
employee  practices,  etc.   Voluntary  attendance  at  the  committee 
meetings  has  been  and  will  continue  to  be  offered  to  other  county 
treasurers.  The  committee  will  consider  inviting  other  local  and 
state  agencies  to  have  a  representative  present  at  these  meetings. 

Present  Implementation  Status 

Part  A  of  this  recommendation  is  implemented.   We  reviewed 
the  committee  minutes  and  determined  the  county  motor  vehicle 
computer  committee  has  established  central  direction  and  is  work- 
ing on  establishing  controls  designed  to  improve  data  integrity, 
application  management,  and  county  controls  related  to  the  R&T 
application.   We  found  numerous  examples  in  the  minutes  where 
the  committee  was  addressing  areas  of  concern  in  our  original 
audit. 

Part  B  of  this  recommendation  is  implemented.  We  reviewed 
the  committee  minutes  and  found  numerous  examples  where  the 
county  motor  vehicle  computer  committee  is  addressing  the 
improvement  of  communication  and  cooperation  between  state  and 
local  agencies. 
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Response 


Page  35 


ATTORNEY  GENERAL 

STATE  OF  MONTANA 


Joseph  P.  Mazurek 
Attorney  General 


May   30,    1995 


Mr.  Scott  Seacat 
Legislative  Auditor 
State  Capitol 
P.O.  Box  201705 
Helena,  Montana  59620 

Dear  Mr.  Seacat : 


Department  of  Justice 
215  North  Sanders 
PO  Box  201401 
Helena,  MT  59620-1401 


E  B  J  61 


-^^mTTAIJOr^ 


The  Department  of  Justice's  response  to  the  follow-up  EDP  Audit 
presented  to  the  Legislative  Audit  Committee  in  May  of  1993, 
reviewed  in  October  of  1994  and  re-reviewed  in  May  of  1995  is 
attached  for  your  consideration. 

This  material  represents  the  Department's  response  on  18  items 
that  the  Auditor  indicated  were  "not  implemented" .   I  trust  that 
the  committee  will  find  our  responses  both  informative  and 
sufficient . 


I  want  to  take  this  opportunity  to  express  my  appreciation  for 
the  assistance  that  your  staff  and  the  Legislative  Audit 
Committee  have  given  the  Department  in  assessing  the  strengths 
and  weaknesses  of  our  various  automated  systems . 

I  believe  that  we  have  made  significant  progress  over  the  past 
two  years  in  addressing  concerns  that  you  have  identified.   While 
we  have  not  completed  all  the  work  necessary  on  every  item,  the 
Department  remains  committed  to  accomplishing  these  tasks  as  time 
and^e^ources  Jaermit . 


attachments 


c:    Dennis  M.  Taylor,  Chief  of  Staff  and  Deputy  Director 
Jim  Oppedahl,  Computer  Services  and  Planning  Division 
Dean  Roberts,  Motor  Vehicle  Division 
Mike  Batista,  Law  Enforcement  Services  Division 
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LEGAL  SERVICES  DIVISION 
Appellate  Legal  Services  Bureau  •  Agency  Legal  Services  Bureau  •  County  Prosecutor  Services  Bureau 

TELEPHONE:  (406)  444-2026     FAX:  (406)444-3549 


Department  of  Justice  Response 
to  the 
EDP  Follow-up  Audit  Report 
June,  1995 


Re  commenda  t  ion  , ,  $,  1,„ , 

We  recommend  the  departrmenp,,  establish  contrgls, ,  wfoich  ensure,, 
programmer  access  to  production  programs  and  data  is  limited  and 
logged, 

The  Computer  Services  and  Planning  Division  (CSPD) ,  in 
consultation  with  the  audit  staff,  determined  that  the  audit 
exception  described  here  is  with  the  F60,  ACF2  rule  on  the  Armory 
mainframe  that  allows  only  two  criminal  justice  programmers  un- 
logged  access  to  F60 .UPARMLIB .JUSTICE.   The  rule  was  reviewed  and 
changed  effective  May  10,  1995. 

fep^m^4^tjon  #3 

We  recommend  the  department  establish  polices  and  procedures 
which; 

A.   Prohibit  EDP  personnel  from  initiating  and 

authorizing  Registration  and  Titling  transactions. 


The  Computer  Services  and  Planning  Division,  in  consultation  with 
the  audit  staff,  determined  that  the  audit  exception  described 
here  is  with  the  F73  Title  and  Registration  (T&R)  ,  ACF2  rules. 
The  audit  staff  mentioned  that  while  the  ACF2  rules  are  better 
than  what  they  were,  the  staff  was  still  concerned  about  a  final 
portion  of  the  rule  which  allows  un- logged  access  by  user  ID 
string  086  (all  CSPD  programming  staff)  to  any  other  F73  data 
sets  not  addressed  previously  in  the  rule .   The  rule  was  changed 
by  May  17,  1995  to  allow  only  the  two  programmer/analysts 
currently  assigned  to  the  Title  and  Registration  system,  two 
managers  and  operators  at  the  Armory  to  access  data  sets  with  the 
first  node  of  F73 . 

In  addition,  the  audit  correctly  notes  that  the  entire 
programming  staff  does  have  access  to  Title  &  Registration  JCL. 
This  rule  has  been  reviewed  and  the  oversight  was  corrected  by 
May  17,  1995  to  allow  only  the  two  programmer/analysts  currently 
assigned  to  T&R  system  and  two  managers  access  to  this  JCL. 

It  should  be  noted  that  the  Department  did  comply  with 
recommendation  #2  A  after  the  initial  audit.   The  ACF2  rules  were 
changed  to  log  all  accesses  to  JCL  libraries.   The  results  were 
disastrous.   Daily,  weekly,  and  monthly  automated  processes  were 
disrupted  and  did  not  function  correctly  due  to  the  "feedback 
message"  received  from  the  logging  that  occurred.   Numerous  hours 
were  spent  recovering  data  and  rerunning  processes  that 
terminated  prematurely  due  to  this  change.   Consequently,  as  a 
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result  of  this  experience,  we  believe  that  logging  should  be 
limited  only  to  staff  not  in  a  direct  support  role  for  the  Titl 
and  Registration  system. 


e 


Recommendation  #3 

We  recommend  the  department  establish  formal  access  control 
policies  and  procedures  which  require  local  government  officials: 

B.   To  review  current  access  rights  and  determine  if 
user  access  corresponds  to  each  user's  job 
responsibilities . 

The  Motor  Vehicle  Division  (MVD)  has  asked  for  and  is 
receiving  new  authorization  forms  signed  by  the  county 
treasurer.   We  are  reviewing  authority  levels  of  each 
operator.   An  operator  is  given  the  authority  level  his  or 
her  supervisor  requests  with  the  approval  of  the  county 
treasurer.   The  authority  level  given  comes  from  a  working 
assessment  by  the  supervisor/county  treasurer.   In  addition, 
every  year  a  review  will  be  conducted  in  each  county  by  the 
TAC  and  Treasurer.   Once  the  forms  are  received  by  the 
Trainer (s),  the  security  officer  for  the  department  is 
informed  of  the  add,  change  or  deletion  of  county  MVD  staff 
in  order  to  update  ACF2  rules  or  logon  IDs.   The  security 
officer  and  the  Training  and  Information  Unit  Supervisor 
from  the  Title  and  Registration  Bureau  (TRB) ,  have  agreed  to 
meet  yearly  (or  more  often  if  possible)  to  compare  ACF2  and 
R900  logon  IDs  and  resolve  any  discrepancies. 

Changes  to  the  ACF2  rules  for  the  programming  staff  occur  as 
needed.   When  the  MVD  systems  were  moved  to  the  Mitchell 
Building  mainframe,  ACF2  rules  were  created  for  the  systems. 
As  personnel  have  changed,  we  have  changed  rules  to  allow 
for  the  change  in  logon  IDs.   With  the  addition  of  a 
Security  and  Disaster  Recovery  position  on  staff  with  CSPD 
in  early  FY  1996,  we  anticipate  that  more  time  will  be  spent 
reviewing  and  improving  ACF2  rules  for  access. 

Additionally,  CSPD  is  working  with  Central  Services  to 
provide  a  method  of  notification  of  new  or  terminated 
employees  so  that  ACF2  and  LAN  security  issues  are 
addressed. 


We  recommend  the  department : 

A.   Require  periodic  changing  of  passwords. 
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B.   Ensure  future  applications  developed  for  the  department 
encrypt  passwords. 

A.  Computer  Services  and  Planning  Division  has  been  working  on 
improving  the  CJIN  message  switcher  to  upgrade  its 
functionality.   A  new  security  program  has  been  written  for 
CJIN  that  will  be  installed  when  the  message  switcher 
improvements  are  in  place- -estimated  to  be  June,  1995.   This 
security  program  will  require  that  users  change  their 
password  at  least  once  every  90  days.   In  addition,  a  user 
sign-on  will  restrict  the  user's  access  to  only  those  files 
that  the  user  has  been  certified  to  access  through  the 
training  certification  program. 

B.  The  new  security  functions  developed  for  the  upgrade/rewrite 
of  the  CJIN  message  switcher  will  allow  a  CJIN  control 
operator  to  reset  a  user's  password  to  a  "first  time  logon" 
(as  is  currently  done  by  those  using  the  ACF2  security 

package)  without  seeing  the  password.   As  is  done  with  ACF2 , 
as  soon  as  the  user  attempts  to  sign  onto  the  application 
using  his/her  reset  password,  he/she  will  be  forced  to 
change  their  password.   The  function  of  resetting  of  the 
password  will  be  logged  on  the  main  CJIN  printer. 

Total  encryption  of  a  password  at  this  time  will  not  be 
complete.   However,  it  is  the  intent  of  the  Computer 
Services  and  Planning  Division  to  work  on  programming 
related  to  password  encryption  after  the  CJIN  message  switch 
upgrade  project  is  operational  and  stable. 

While  the  department  has  not  yet  established  policies  and 
procedures  requiring  encrypted  passwords  in  future 
applications,  it  is  our  intent  to  do  so  as  soon  as  we  have 
the  staff  and  resources  to  professionally  accomplish  these 
tasks.   The  Department  asked  for  and  received  from  the  1995 
Legislature  a  permanent,  full-time  Information  Systems 
Disaster  Recovery  and  Security  Officer  position.   This 
position  will  be  hired  in  July,  1995,  and  is  crucial  to 
developing  formal  policies  and  procedures  in  this  area.   In 
the  meantime,  the  Department  has  attempted  to  comply  with 
the  recommendation  through  the  changes  that  will  be 
implemented  as  a  part  of  the  CJIN  upgrade. 

We  recommend  the  department: 

A.   Establish  a  formal  contingency  plan  to  comply  with 
guidelines  for  agencies  specified  in  section  1-0240 


MOM. 

test  the  contingency  plan. 


uu, 
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The  Department  of  Justice  is  committed  to  creating  a  well -formed 
and  meaningful  disaster  recovery  and  contingency  plan.   We  have 
made  some  progress  in  that  effort,  but  much  remains  to  be  done-- 
not  only  in  the  three  subsystems  (CJIN,  Criminal  History  Records, 
and  Title  and  Registration)  that  were  examined  by  the  Auditor- - 
but  also  in  the  many  other  information  systems  that  are  part  of 
the  overall  information  system  responsibilities  of  the 
Department . 

The  Department  asked  for  and  received  from  the  1995  Legislature  a 
permanent,  full-time  Information  Systems  Disaster  Recovery  and 
Security  Officer  position.   This  position  will  be  hired  in  July, 
1995  and  is  crucial  to  completing  a  formal  contingency  plan. 

It  is  important  to  note  that  a  significant  portion  of  our  ability 
to  develop  and  test  a  disaster  recover  and  contingency  plan  is 
dependent  upon  and  inter- related  with  the  Department  of 
Administration,  Information  Services  Division's  (ISD)  hot  site 
disaster  recovery  plan  for  mainframe  and  network  recovery.   The 
two  divisions  (ISD  and  CSPD)  have  been  working  together  on 
various  aspects  of  this  plan  over  the  past  year.   ISD's  final 
plan,  due  in  July,  1995  will  be  a  critical  component  of  the 
Department  of  Justice's  overall  plan. 

In  the  area  of  the  Criminal  Justice  Information  Network,  it 
should  not  go  unnoticed  that  significant  disaster  recovery  and 
contingency  processes  are  now  and  have  been  in  place  for  years. 
The  Department  of  Justice  still  has  a  significant  amount  of  work 
to  do  in  this  area  to  comply  with  section  1.0240.00  of  MOM- -yet 
CJIN  is  currently  the  most  redundant  and  closely  monitored 
information  system  in  State  government.   CJIN  receives  24-hour, 
seven  days-a-week  support  from  both  the  Department  of  Justice  and 
the  Department  of  Administration.   Contingencies  are  an  integral 
part  of  the  design  and  daily  operation  procedures  of  CJIN: 

1.  Contingency  planning  is  built  into  the  message 
switcher.   The  message  switcher  is  specifically 
designed  to  operate  on  either  the  Armory  mainframe  or 
the  Mitchell  mainframe.   This  process  is  well 
documented  and  takes  less  than  10  minutes  to 
accomplish. 

2.  Operational  contingency  planning  exists.   CJIN  receives 
24  hour  support  from  both  Justice  and  Administration. 
There  are  at  least  three  persons  on-call  (through 
pagers  and  cellular  phones)  24  hours-a-day,  seven  days- 
a-week  who  are  available  to  provide  additional  support. 
On-call  lists  and  procedures  are  maintained  by  both  the 
Highway  Patrol  staff  and  the  Department  of  Administra- 
tion's Computer  Operations  staff. 

3 .  Contingency  planning  is  an  integral  part  of  CJIN 
information  file  structures.  CJIN's  files  are 
specifically  designed  for  redundancy  and  contingencies. 
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Stolen  vehicle,  wants  and  warrants  and  criminal  history 
information  exist  on  the  Armory  mainframe  and  is  also 
stored  (and  in  the  case  of  Criminal  History  Records, 
indexed)  on  the  FBI's  NCIC  computer  system  in 
Washington,  D.C. 

Additionally,  relevant  portions  of  Title  and 
Registration  and  Driver  Control  records  are  replicated 
on  the  Armory  mainframe  to  provide  information  to  law 
enforcement  in  the  event  that  the  Mitchell  Building 
mainframe  is  down.   Considerable  time  was  spent  in  1994 
designing,  programming  and  implementing  these 
contingency  "side  files". 

All  of  the  redundancies  listed  here  are  in  addition  to 
the  Department's  otherwise  standard  internal  backup 
procedures . 

4.  There  are  contingency  plans  for  the  network  side  of 
CJIN.   Contingency  planning  and  procedures  exist  for 
network  outages.   The  Armory  mainframe  is  fully  able  to 
run  the  State  network  if  the  Mitchell  Building 
mainframe  is  down. 

5.  We  have  hardware  contingencies.   All  critical  hardware 
components  of  the  CJIN  system- -from  the  Armory 
mainframe  to  CJIN  owned  devices  in  local  law 
enforcement  offices  are  fully  covered  by  24  hours-a- 
day,  seven  days-a-week  maintenance  agreements.   In 
addition,  we  train  and  instruct  on  procedures  for 
phone -based  communications  during  any  period  of  system 
unavailability. 

6.  We  have  contingencies  for  power  outages.   The  Armory 
facility  includes  a  diesel  generator  which  is  tested 
monthly  by  the  Department  of  Military  Affairs.   This 
generator  provides  continuous  power  whenever  commercial 
power  is  unavailable.   Switching  between  commercial  and 
diesel  generated  power  is  accomplished  using  the  UPS 
and  battery  facilities  that  we  have  installed  at  the 
Armory.   The  UPS  is  inspected  and  serviced  twice 
yearly.   The  batteries  are  inspected  monthly. 

The  contingency  that  is  not  at  all  planned  for  presently  on  CJIN 
would  relate  to  catastrophic  disasters  that  would  knockout  both 
the  Armory  and  the  Mitchell  Building  processors.   This 
contingency  is  being  discussed  in  the  CJIN  redesign  project  that 
will  take  place  in  the  coming  biennium.   It  may  be  partially 
addressed  in  the  SummitNet  network  redesign,  and  also  will  be 
addressed  to  some  degree  in  ISD's  plans  for  a  Washington  hot-site 
for  disaster  recovery. 
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Recommendation  #6 

We  recommend  the  department 


sund  checks  on 
GJIN  users  aad  require  documentation  of  the  background 
checks . 

The  Computer  Services  and  Planning  Division  has  adopted  a  written 
policy  defining  minimum  background  check  requirements  (See 
attached  memorandums  dated  May  8,  1995) .   Setting  the  minimum 
standards  and  requirements  has  been  accomplished  in  coordination 
with  the  FBI  and  law  enforcement.   The  process  began  in  the 
summer  of  1994  and  is  now  complete. 

mmm 


We  recommend  the  department: 

A,  Establish  definitions  and  procedures  for  the  timely 
entry  of  hot  file  information. 

B.  Communicate  definitions  and  procedures  to  local  law 
enforcement  agencies  * 

The  Department's  original  response  to  this  recommendation  is 
still  valid.   CJIN  Services  has  adopted  the  NCIC  definitions  for 
timeliness  of  hot  file  record  entries  for  all  CJIN/NCIC  files. 
All  NCIC  biennial  audits  have  found  that  Montana  agencies  are  in 
substantial  compliance  with  the  definitions  of  timely  record 
entry.  (See  for  example,  attached  1994  NCIC  Audit,  page  10) 

Since  Montana  law  specifically  addresses  entry  of  two  files- - 
stolen  vehicle  and  missing  juveniles- -these  Montana  laws  are 
taught  to  users  as  part  of  their  training.  The  timeliness  of  hot 
file  record  entry  is  part  of  the  training  for  CJIN  operators 
through  the  required  certification  workbook,  regional  schools  and 
the  TAC  conferences.   Users  are  specifically  trained  on  the 
importance  of  timely  record  entry. 

Additionally,  CJIN  Services  has  corresponded  with  all  CJIN  users 
on  the  issue  of  timely  entry,  especially  as  it  relates  to  missing 
juveniles. 

ftecommenda,  t  J9P ; , ,  %$£ 

We  recommend  the  department: 

A.   Ensure  validation  procedures  are  followed  by  all  user 
agencies  through  improved  training  and  on-site  reviews. 
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B.   Stress  the  importance  of  double -checking  procedures  and 
recommend  alternatives : for  user  agencies  as 
appropriate . 

A.  The  CJIN  training  position  (1  FTE)  was  vacant  for  a  short 
period  of  time  in  1993/4  which  caused  the  cancellation  of 
several  schools.   However,  CJIN  Services  filled  the  position 
as  soon  as  possible  and  has  improved  user  training  related 
to  the  CJIN  validation  procedures.   Record  validation  was 
covered  at  the  TAC  conference  and  in  the  Advanced  Regional 
Schools . 

It  is  correct  that  CJIN  Services  has  not  been  performing  on- 
site  audits  of  user  agencies.   This  is  due  to  the  lack  of 
audit  personnel  and  other  resources  in  CJIN  Services . 
However,  the  Department  requested  and  the  1995  Legislature 
approved  an  Auditor  position  for  CJIN  Services  beginning  in 
FY  1996.   When  this  position  is  filled,  CJIN  will  be  able  to 
perform  on-site  audits  of  user  agencies. 

Also,  since  the  EDP  audit  of  CJIN  Services,  NCIC  has  relaxed 
it  policy  on  record  validations  of  the  Vehicle,  License 
Plate  and  Boat  files.   Instead  of  requiring  an  annual 
validation,  these  records  are  required  to  be  validated  only- 
one  time  60-90  days  after  record  entry.   NCIC  has  also 
approved  a  change  in  the  validation  of  the  Gun  file  from  an 
annual  requirement  to  60-90  days  after  entry  and  one  year 
later. 

B.  Double -checking  of  record  entries  is  taught  and  emphasized. 
This  is  done  in  every  CJIN  Regional  School  (both  Basic  and 
Advanced),  at  TAC  Conferences,  in  the  User's  guide,  and  in 
the  Operator  Certification  program.   It  is  included  in  the 
User  Agreement  signed  by  every  CJIN  agency  administrator. 

CJIN  recommends  several  alternatives  for  double -checking 
procedures.   The  CJIN  Users  Guide  (Part  1,  Section  4.2.2) 
recommends  that  "Agencies  lacking  the  support  staff  for  this 
cross-checking  should  require  the  case  officer  to  check  the 
record,  as  he  carries  primary  responsibility  for  seeking  the 
fugitive  and/or  stolen  property".   At  Regional  Schools,  it 
is  also  recommended  that  the  case  officer,  TAC  or  operator 
on  the  next  shift  could  double-check  a  record  entry. 

The  1994  NCIC  audit  found  seven  out  of  seven  local  agencies 
were  performing  second  party  validations. 

We  believe  that  an  agency's  failure  to  comply  with  this 
policy  is  more  an  audit  and  enforcement  issue  than  one 
related  to  training. 
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ft  5C  omme  nda,  t  irpfi  MM 


A.   Adopt  rules  for  enforcement  of  established  criminal 
fustice  policies  as  specified  in  section  44-5-213(7' 
MCA. 


agencies. 


criminal  justice 


The  Department  requested  and  received  a  CJIN  Auditor  position 
from  the  1995  Legislature.   This  position  will  be  hired  in 
August,  1995.   The  addition  of  this  position  will  allow  CJIN  to 
more  closely  monitor  user  compliance  and  to  establish  a  well 
formed  compliance  program  beginning  in  FY  1996. 

Recommendation ,,  ftXti 

we  recommend  tne  department  establish  procedures  to  ensure  a^i 
title  transactions  are  sent  to  and  received  by:  the  Registration 
and  Tit 1 i ng  Bureau. 

Those  procedures  are  still  under  study.   As  was  stated 
in  our  initial  response,  this  is  a  complex  issue  that 
does  not  respond  to  a  simple  solution,  however  the  MVD 
continues  to  take  this  concern  very  seriously. 


Recommendation  #ie 


8 .    Coordinate  with  the  Department  of  Commerce  in  reviewing 
computer  access  and  management  controls. 

\v:-:v:v:':o;vXv;-:v;:-:-.v:-:-:-::-;-:;^:-;-;-x-:-:-x  ■:■;•:•:•:■;•.-:•>;•:•.■.  ■;■:■.•.•.-.■:-:■:■:■:■:-:■:■:-;•:•:  :•;•;■:■:■:■:■:■:-:■:-:•:-.-:■:■:•:•:•:■:■:■:  x-x-x-x-x-x-x-x-XOK 

A  letter  has  been  sent  to  the  Department  of  Commerce 
requesting  its  cooperation  (see  enclosure) .   The 
Department  of  Commerce  has  not  yet  responded  to  our 
request,  but  we  will  follow-up  as  soon  as  we  are  able. 


Recommenda  t ion  #19 


We  recommend  the  department  provide ■ add! tional  training  for 
county  employees  to  improve  data  integrity  in  the  Registration 
.  Titling  application. 

Clerks  have  been  laboriously  instructed  that  the  full 
value  of  the  vehicle  is  desired  in  the  value  field. 
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They  are  taught : 

1 .  The  system  manual  contains  that 
information; 

2.  The  yearly  TAC  meeting  addresses  the 
issue;  and, 

3 .  The  county  visits  by  the  district 
trainer  reiterate  the  process. 

County  treasurer  clerks  cannot  always  get  the  full 
value  of  the  vehicle  from  the  assessor.   The  assessor 
often  will  not  value  the  vehicle  when: 

1.  The  vehicle  is  exempt; 

2.  The  taxes  have  been  paid  on  a  60-day 
sticker;  and, 

3 .  The  taxes  are  current  from  the  previous 
owner. 

The  assessor  may  not  give  the  full  value  if: 

1 .  The  vehicle  is  on  the  dealers  inventory 
and  taxes  have  abated; 

2.  The  vehicle  is  owned  50%  by  an  exempt 
entity;  and, 

3.  The  owner  is  changing  anniversary  dates, 
which  pro-rate  the  taxes. 

If  the  assessor- -who  by  law  has  the  authority  to  value 
vehicle- -will  not  give  the  value,  the  treasurer  and 
clerks  are  instructed  to  leave  the  field  blank. 

Reports  are  reviewed  periodically  by  the  trainers  to 
make  sure  false  amounts  like  $0.01  are  not  being 
entered. 


Recommendation  #20 

We  recommend  the  department!! 

h*        Implement  market  value  edits  which  ensure  registration 
transactions  are  valid  and  market  values  recorded 
ppmply  with  state  law. 

8,   Review  other  R  &  T  application  edits  for  effectiveness- 
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By  statute,  most  vehicles  may  not  be  valued  below  $500; 
but,  the  system  cannot  be  edited  to  reject  amounts 
below  that  figure  because  assessors  set  values.   Many 
assessors  show  values  as  follows: 

1.  Exempt  vehicles  will  not  show  a  value. 

2.  Half -exempt  vehicles  can  show  half  the  value. 

3.  Vehicles  with  current  taxes  will  show  no 
value . 

4.  Vehicles  on  the  dealer's  inventory  may  show 
partial  value  for  the  abated  taxes. 

5 .  Vehicles  changing  anniversary  dates  may  show 
partial  value. 

6.  RPO  vehicles  may  be  pro-rated  and  show  partial  value. 

Edits  are  and  will  continue  to  be  routinely  reviewed. 

Recommenda  t Ion  #22 

??e  recommend  the  department  coordinate  with  the  Department  of 
Commerce  to  help  local  government  agencies  establish  effective 
controls  over  the  Registration  and  Titling  function. 


A  meeting  will  be  set  up  between  the  Department  of 
Commerce  and  the  Department  of  Justice  regarding  areas 
of  responsibility  regarding  system  auditing.   We 
believe  we  do  review  management  controls  and  computer 
access  to  the  R&T  system.   We  do  have  effective 
controls  over  the  Registration  and  Titling  functions. 
The  Department  of  Justice  does  give  local  and  some 
state  agency  guidance  regarding  controls  over  the 
registration  and  titling  functions.   It  does  this 
through  the  Title  and  Registration  Bureau,  county 
trainers,  the  TAC  Program,  system  edits  and  numerous 
manuals  and  memos. 


J:\. . .\WPFILES\AUDITS\MAY95 
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STATE  OF  MONTANA 


DEPARTMENT  OF  JUSTICE 


CJIN  SERVICES 


Joseph  P.  Mazurck 
Attorney  General 


Scott  Hart  Bldg.  5th  Floor 
303  North  Roberts 
PO  Box  201406 
Helena,  MT  59620-1406 


TO:       All  CJIN  User  Agencies      f 
FROM:     Jim  Oppedahl,  Administrator/ 

Nancy  Bloom,  Administrative,  Officer 
DATE:      May  8,  1995  / 

SUBJECT:   FINGERPRINT  POLICY  FOR  CJIN  "ACCESS. 

The  attached  policy  on  fingerprint-based  background  checks  is 
effective  May  15,  1995  and  applies  to  all  local,  state  and  federal 
new  hires  and  transfered  employees  that  require  CJIN  access. 

This  policy  was  distributed  in  draft  form  and  noticed  for  comments 
in  September,  1994  and  April,  1995. 

The  policy  is  necessary  due  to  revisions  by  the  FBI's  National 
Crime  Information  Center  which  require  that  all  operators  and 
others  who  have  access  to  NCIC  information  must  be  subjected  to 
fingerprint-based  background  checks  to  determine  their  fitness  and 
character  to  handle  sensitive  information.  NCIC  has  established 
this  fingerprint-based  records  check  to  ensure  positive 
identification  of  potential  employees. 

The  CJIN  policy  which  implements  the  NCIC  policy  requirements  is 
intended  to  involve  CJIN  Services  as  little  as  possible  in  the 
hiring  decisions  made  by  CJIN  user  agencies.  The  responsibility  of 
hiring  honest  and  trusted  employees  is  first  and  foremost  a 
function  of  the  employing  agency. 

Employing  agencies  should  clearly  understand  when  hiring 
individuals  that  access  to  CJIN  may  be  denied  in  certain 
circumstances.  Agencies  may  want  to  make  permanent  employment 
contingent  upon  successful  passage  of  the  fingerprint-based 
background  check  and  approval  of  sign-on  access  to  CJIN/NCIC. 

It  is  hoped  that  the  attached  flow  chart  will  be  a  visual  aid  in 
understanding  the  background  check  process.  If  you  have  any 
questions  about  the  policy  please  do  not  hesitate  to  contact  this 
office. 
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STATE  OF  MONTANA 

DEPARTMENT  OF  JUSTICE 

CJIN  SERVICES 

Scott  Hart  BIdg.  5th  Floor 

Joseph  P.  Mazurek  ^M^^j^^X  303  North  Roberts 

Attorney  General  b^^^^^^z)  PO  Box  201406 

\$!|||gj^  Helena,  MT  59620-1406 

TO:  ALL  TACS  ^^J^ 

FROM:  NANCY  BLOOM,  BUREAU  CHIEF,  CJTN  SERVICES 

DATE:  MAY  8,  1995 

SUBJECT:      FINGERPRINT  POLICY 

Effective  May  1 5th,  the  new  fingerprint  poUcy  goes  ^^^S^ 

new  sign-on  is  being  requested  by  your  agency. 

those  pints  are  no.  sent  to  the  f^^SSSm)SS^S^  K, 
finfenprinTc  "ds  to  the  State  ID  Bureau,  (mark  the  reason  field I  wth  'cnmrnal JusUce 

revest  a  sign-onfor  an  employee  with  an  outstanding  warrant  or  a  cnnunal  history  record. 

sssrssss3B££E3SS££s 

function  of  the  employing  agency.  Access  to  CJIN  may  be  deniea .m  c 

PTTN  access  is  vital  to  the  job,  you  may  want  to  make  permanent  employment  contingent   f 

S^ Tof  the  finge^rint-based  background  check  and  approval  of  s,gn-on  acoess  to 

CJIN/NCIC. 

Please  note  that  the  "Request  for  Access  to  CJIN/NCIC"  form  should  be  signed  by 'yourAgency 
Ad^stnTtor.  Feci  tat.  make  copies  of  this  form  for  your  agency's  use,  or  contact  CJIN 
Services  for  more  forms. 

If  you  have  any  questions  regarding  the  fingerprint  policy  or  procedures,  please  call  me  at  444- 
2800  or  444-2802.  Page  49 
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STATE  OF  MONTANA 

DEPARTMENT  OF  JUSTICE 

CJIN  SERVICES 


Joseph  P.  Mazurek 
Attorney  General 


Scott  Hart  Bldg.  5th  Floor 
303  North  Roberts 
PO  Box  201406 
Helena,  MT  59620-1406 


Nancy  Bloom 

Effective  Date 

POLICY  NUMBER 

Bureau  Chief 

May  15,  1995 
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The  following  material  outlines  CJIN  policies  and  procedures 
for  requesting  access  to  the  CJIN/NCIC  system. 

NCIC  policy  requires  that  thorough  background  screening  be 
conducted  by  the  employing  terminal  agency  of  new  or 
transferred  personnel  having  access  to  CJIN/NCIC.  Effective 
May  15,  1995,  state  and  national  III  record  checks  by 
fingerprint  identification  must  be  conducted  for  terminal 
operators,  programmers,  and  other  persons  employed  or  utilized 
to  effectuate  access  to  or  initiate  transmission  of  CJIN/NCIC 
information.  Good  management  practices  dictate  record  checks 
should  be  completed  prior  to  employment. 

The  employing  agency  is  responsible  to  ensure  that  terminal 
operators,  programmers,  and  other  persons  employed  or  utilized 
to  effectuate  access  to  or  initiate  transmission  of  CJIN/NCIC 
information  are  subjected  to  appropriate  fingerprint-based 
background  checks  to  establish  the  "honesty  and  fitness  to 
handle  sensitive  information"  [4-5-405,  MCA]  of  the  potential 
employee  and  to  ensure  that  the  potential  employee  is  "not  a 
fugitive  from  justice  and/or  has  not  been  convicted  of  a 
felony  or  serious  misdemeanor."  [28  CFR,  2  0.21  and  NCIC 
Security  Policy  approved  June  3,  1992] 

PHASE  I:   INITIAL  APPLICATION  AND  TEMPORARY  SIGN-ON  ACCESS 

Prior  to  requesting  access  to  CJIN/NCIC  for  an  employee, 
the  employing  agency  must  check  state  and  national  arrest 
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and  fugitive  files  [Wanted  Person  (QW)  and  Criminal 
History  (QH/QR,  IQ/FQ)  inquiries  must  be  run  against 
CJIN/NCIC  by  name] . 

A)    If  no  record  is  found  and  the  agency  wishes  to 
request  CJIN  access: 

i)  submit  two  applicant  fingerprint  cards  to 
the  Montana  Identification  Bureau  of  the  Law 
Enforcement  Services  Division  for  a  complete 
fingerprint-based  Montana  and  national 
criminal  background  check. 

ii)  in  the  "Reason  Fingerprinted"  field  on 
the  fingerprint  card  write  or  type  "Criminal 
Justice  Employment  —  CJIN  operator."  The 
Montana  Identification  Bureau  will  forward  one 
card  to  the  FBI  Identification  Division. 


iii)  make  application  to  CJIN  Services  for 
system  sign-on  access  using  the  REQUEST  FOR 
ACCESS  TO  CJIN/NCIC  form  (including  the 
required  workbook  certification  form) 
certifying  that  the  applicant's  background 
check  resulted  in  no  records  having  been 
found.   [Complete  parts  A,  B  and  D] 

Upon  receipt  of  the  application  form  and 
certification  above,  CJIN  Services  will  grant 
temporary  sign-on  access  pending  final  review 
of  the  fingerprint-based  background  check. 

B)  If  a  record  of  any  kind  is  found,  the  employing 
agency  must  review  the  arrest  and  fugitive  records. 
The  employing  agency  may  request  access  for  an 
individual  whose  name-based  background  check 
results  in  a  positive  record  or  in  disclosing  that 
the  individual  is  a  fugitive,  or  has  been  convicted 
of  a  felony  or  serious  misdemeanor  if  the  agency 
believes  that  the  nature  of  the  reported  offenses 
or  circumstances  of  the  positive  records  check 
should  not  disqualify  the  individual  from  access  to 
the  system.  If  the  agency  makes  such  a 
determination,  the  agency  may  submit  a  request  to 
CJIN  for  access  for  the  individual  using  the 
REQUEST  FOR  ACCESS  TO  CJIN/NCIC  form  [complete 
parts  A,  B  and  D,  and  include  the  required  workbook 
certification  form] .  The  request  for  access  must 
include  an  explanation  of  the  circumstances  of  the 
positive  records  check  or  the  details  of  the 
arrests  and  convictions  and  the  specific  reasons 
why  the  agency  believes  these  do  not  disqualify  the 
individual  from  access.  In  addition,  the  agency 
must: 
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i)  submit  two  applicant  fingerprint  cards  to 
the  Montana  Identification  Bureau  of  the  Law 
Enforcement  Services  Division  for  a  complete 
fingerprint-based  Montana  and  national 
criminal  background  check;  and 

ii)  write  in  the  "Reason  Fingerprinted"  field 
on  the  fingerprint  card  the  following: 
"Criminal  Justice  Employment  —  CJIN 
operator."  The  Montana  Identification  Bureau 
will  forward  one  card  to  the  FBI 
Identification  Division. 

CJIN  will  consider  reguests  for  sign-on  access  submitted 
under  this  section  on  a  case-by-case  basis  and  will  make 
a  final  determination  if  the  security  of  the  system  would 
be  compromised  by  the  applicant's  access  based  on  system 
security  standards  for  personnel  having  access  to  the 
criminal  justice  information  system,  in  accordance  with 
MCA  44-5-405,  on  standards  outlined  for  peace  officer 
employment  in  MCA  7-32-303,  and  upon  federal  policies 
outlined  in  28  CFR,  20.21  and  NCIC  Security  Policy 
[approved  June  3,  1992]. 

If  a  determination  is  made  that  CJIN/NCIC  system  access 
by  the  applicant  would  not  be  in  the  public  interest, 
such  access  will  be  denied  and  the  terminal  agency 
administrator  will  be  notified  in  writing  of  the  access 
denial. 

When  CJIN  Services  grants  sign-on  access  under  this 
section,  access  is  temporary  pending  final  review  of  the 
fingerprint-based  background  check. 

Phase  II:   FINGERPRINT-BASED  RECORDS  RECEIVED  AND  REVIEWED 

When  identification  of  the  applicant  has  been  established  by 
fingerprint-based  comparison  the  following  procedures  apply: 

A)  If  the  fingerprint-based  background  check  indicates  no 
hits  or  the  record  is  not  different  from  those  identified  in 
the  original  review  process,  the  CJIN  sign-on  access  is 
considered  completed.  The  employing  agency  must  keep  a  record 
of  the  fingerprint-based  check  results  in  the  agency  personnel 
files  which  are  subject  to  audit  by  CJIN  Services. 

B)  If  the  fingerprint-based  background  check  indicates  hits 
or  the  record  is  different  from  those  identified  in  the 
original  review  process,  the  agency  must  notify  CJIN  Services 
immediately.  CJIN  will  suspend  the  temporary  sign-on  access. 
Continued  sign-on  access  must  be  applied  for  under  the 
provisions  of  Phase  III. 
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process. 

When  the  |in^P^nt;^Sea  records  have  heen  -iewed^the 

SafnaTly  ^iewel  SLS«Si.  I  -  «-  ^en  the  employing 
ageno?  still  "ants  to  apply  for  CJIN  sign-on  aooess  -  the 

following  procedures  apply: 

The  employing  agency  may  request  access  for  an  individual 
whose  fingerprint-based  background  check  results  in 

SSta^  «rp*SS"-£--^^a  not 

&T^tS^^Ti  ae-e^atiot  "the^Jcy  ma 
submit  a  revest  to  CJIN  for  access  for  the  individual 
usina  the  SeQUEST  FOR  ACCESS  TO  CJIN/NCIC  form  and 
completing  parts  A,  C  and  D.  The  request  for  access  must 
include  an  explanation  of  the  circumstances  of  the 
Positive  JecordS  check  or  the  details  of  the  arrests  and 
Convictions  and  the  specific  reasons  why  the  agency  feels 
these  do  not  disqualify  the  individual  from  access. 

CJIN  will  consider  applications  submitted  under  this 
section  on  a  case-by-case  basis  and  will  make  a  t _inal 
determination  if  the  security  of  the  system  would  be 
compromised  by  the  applicant's  access  based  on  system 
security  standards  for  personnel  having  access to  ^ 
criminal  justice  information  system,  in  accordance  with 
MCA  44-5-405,  on  standards  outlined  for  peace  officer 
employment  in  MCA  7-32-303,  and  upon  federal  policies 
Sutlined  in  28  CFR,  20.21  and  NCIC  Security  Policy 
[approved  June  3,  1992]. 

If  CJIN/NCIC  system  access  is  approved,  CJIN  will  notify 
the  agency  and  sign-on  access  will  be  restored.  The 
employing  agency  must  keep  a  copy  of  its  application  and 
the  approval  documents  from  CJIN  in  its  agency  files 
which  are  subject  to  audit  by  CJIN  Services. 

If  a  determination  is  made  that  CJIN/NCIC  system  access 
by  the  applicant  would  not  be  in  the  public  interest, 
such  access  will  be  denied  and  the  terminal  agency 
administrator  will  be  notified  in  writing  of  the  access 
denial. 
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AGENCY  CONDUCTS  INITIAL  NAME- 
BASED  BACKGROUND  CHECK  OF 
STATE  AND  NATIONAL  CRIMINAL 
HISTORY  RECORDS  AND 
DETERMINES  WHETHER  TO  APPLY 
FOR  SIGN-ON  ACCESS 


\S 


NO  MATCHES'C  RECORDS  ARE 
FOUND.  THE  AGENCY  WANTS  TO 
MAKE  APPUCATION  FOR  SIGN-ON  AND 
SUBMITS  TWO  FINGERPRINT  CARDS 
TO  STATE  ID  BUREAU 


MATCHING  RECORDS  ARZ  FOUND 
BUT  THE  AGENCY  STILL  WANTS  TO 
MAXE  APPUCATION  FOR  SIGN-ON  AND 
SUBMITS  TWO  FINGERPRINT  CARDS  TO 
THE  STATE  ID  BUREAU 


\i 


TEMPORARY  SIGN-ON  GRANTED 
PENDING  FINAL  REVIEW  OF 
FINGERPRINT-BASED  RECORDS  CHECK 


v 


CJTN  REVIEW  OF  APPUCATION  FOR 
ACCESS 


v/ 


ACCESS  DENIED  LETTER  TO  AGENCY 


FINGERPRINT-BASED  RECORDS 
RECEIVED  AND  REVIEWED  BY 
AGENCY 


STILL  NO  HITS  OR  THE  FINGERPRINT- 
BASED  RECORDS  ARE  NOT  DIFFERENT 
FROM  ORIGINAL  REVIEW  PROCESS 


f 


-) 


HITS  OR  RECORDS  ARE  DIFFERENT 
FROM  ORIGINAL  REVIEW  PROCESS 


DOCUMENTS  FILED  IN  AGENCY 
RECORDS 


i 


NOTIFY  CJTN  IMMEDIATELY 


CJIN  SUSPENDS  SIGN-ON  ACCESS 


AGENCY  REVIEWS  FINGERPRINT- 
BASED  CRIMINAL  HISTORY 
RECORDS  AND  DETERMINES 
WHETHER  TO  CONTINUE 
APPLICATION  FOR  SIGN-ON  ACCESS 


AGENCY  MAKES  APPUCATION  FOR 
SIGN-ON  ACCESS  WITH 
DOCUMENTATION  OF  REASONS 


s 
N 


"£ 


AGENCY  DECIDES  NOT  TO  REQUEST 
SIGN-ON 


CJIN  REVIEW  OF  APPUCATION  FOR 
ACCESS 


[  SIGN-ON 


A. 


;  RESTORED 


V 


ACCESS  DENIED  LETTER  TO  AGENCY 


jl 


DOCUMENT  FILED  IN  AGENCY 
RECORDS 
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1 


■ 


REQUEST  FOR  ACCESS  TO  CJIN/KCIC 
ENCY  NAME: 


I- 

PART  A:  ACCESS  FOR  THE  FOLLOWING  INDIVIDUAL  IS  REQUESTED: 
■AXE : 

PATE  OF  BIRTH:  SOCIAL  SECURITY  NUMBER: 


PROPOSED  TITLE: 


. 


OTE:  Training  certification  record  must  accompany  this  form  before  a 
ign-on  will  be  issued. 

PART  B:  REQUEST  FOR  CONDITIONAL  ACCESS.  Check  the  appropriate  box(s) 

□  A  warrant  and  background  check  was  conducted  on  the  above  individual 

on  ,  199 and  no  matching  record  was  found.  This  agency  is 

requesting  temporary/conditional  access  for  this  individual  pending 
return  and  review  of  the  fingerprint-based  background  check.   Two 
fingerprint  cards  have  been  submitted  to  the  State  Identification 
Bureau  on  this  applicant. 

□  A  warrant  and  background  check  was  conducted  on  the  above  individual 

on  ,  199 and  one  or  more  matching  records  were  found.  This 

agency  is  requesting  temporary/conditional  access  for  this  individual 
pending  return  and  review  of  the  fingerprint-based  background  check. 
Two  fingerprint  cards  have  been  submitted  to  the  State  Identification 
Bureau  on  this  applicant.   Attached  is  a  summary  giving  full  details 
of  reasons  for  requesting  sign-on  access  for  this  individual  and 
copies  of  the  criminal  history  records  and/or  warrant. 

PART  C:   REQUEST  FOR  CJIN/NCIC  ACCESS  OR  REASSIGNMENT  BASED  ON  NEW 
INFORMATION  RECEIVED  FROM  FINGERPRINT  CARD  PROCESSING. 

□  A  fingerprint-based  background  check  was  returned  to  this  office  on 

,  199 for  the  above  individual.   This  agency  notified  CJIN 

Services  on  ,  199 ,  that  the  fingerprint-based 

background  check  indicated  the  individual  had  a  positive  record  check, 
is  a  fugitive  from  justice  or  has  been  convicted  of  a  felony  or 
serious  misdemeanor.   After  reviewing  the  fingerprint-based  criminal 
history  record,  this  agency  has  determined  that  the  individual  may 
qualify  for  access  to  CJIN/NCIC  for  the  stated  reasons  and  therefore 
asks  that  CJIN  Services  consider  granting  sign-on  access  for  this 
individual.   Attached  is  a  summary  giving  full  details  of  reasons  for 
requesting  sign-on  access  for  this  individual  and  copies  of  the 
criminal  history  records  and/or  warrant. 

?ART  D:   Certification  and  Signature. 

I   certify  that  the  material  contained  in  this  request  accurately  reflects 
:he  records  reviewed  in  this  office. 
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Signature  of  Police  Chief /Sheriff /Agency  Administrator* 

W:  5/8/95  #108 
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MONTANA 

CRIMINAL  JUSTICE  INFORMATION  NETWORK 

INTRODUCTION 

The  National  Crime  Information  Center  (NCIC)  Audit 
Program  was  implemented  in  1983  with  the  goal  of  assessing  policy 
compliance  and  data  quality  within  each  state.   Each  audit  is 
divided  into  a  State  Control  Terminal  Agency  (CTA)  phase  and  a 
local  agency  review  phase. 

The  CTA  phase  involves  a  review  of  major  areas  to 
determine  how  the  Control  Terminal  Officer  (CTO)  meets  the 
requirements  of  NCIC  policy.   Special  attention  is  paid  to  the 
areas  of  training,  security,  state  audit  program,  validation,  and 
hit  confirmation.   The  information  gathered  during  this  phase  is 
applied  during  a  local  agency  review  to  determine  whether  the  CTA 
is  effectively  meeting  its  responsibilities. 

During  the  local  agency  review,  a  number  of  criminal 
justice  agencies  are  contacted.   Compliance  with  NCIC  policy  is 
assessed.   A  statistically  valid  sample  of  entries  is  obtained 
for  the  Wanted  Person  and  Vehicle  Files.   Agency  and  court 
records  are  checked,  and  complainants  are  contacted  to  determine 
whether  the  records  are  accurate  and  valid.   Results  of  the  local 
agency  reviews  are  used  to  help  the  CTA  identify  any  areas  where 
there  is  a  failure  to  comply  with  NCIC  policy. 
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During  the  local  agency  review  phase,  the  following 
agencies  were  contacted: 

Billings  Police  Department 
Butte-Silver  Bow  Law  Enforcement  Agency- 
Cascade  County  Sheriff's  Office 
Flathead  County  Sheriff's  Office 
Helena  Police  Department 
Lake  County  Sheriff's  Office 
Lewis  &  Clark  County  Sheriff's  Office 
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MONTANA 

DESCRIPTION  OF  STATE  SYSTEM  AND  SERVICES 

Mr.  Jim  Oppedahl  is  the  CTO  for  the  Criminal  Justice 
Information  Network  (CJIN)  System.   The  CTO  is  responsible  for 
ensuring  that  all  user  agencies  adhere  to  the  rules  and 
regulations  set  forth  by  NCIC  and  CJIN. 

CJIN  has  .19%  of  the  total  records  in  NCIC.   CJIN 
provides  NCIC  service  to  93  24 -hour  terminal  agencies,  which 
account  for  98.67%  of  the  CJIN  records  in  the  System.   CJIN  also 
provides  service  to  3  9  non  24 -hour  terminal  agencies,  which 
account  for  .33%  of  the  CJIN  records  in  NCIC. 

Four  hundred  seventy- six  Nonterminal  Agencies  (NTAs) 
receive  NCIC  service  from  CJIN.   The  NTAs  account  for  1%  of  the 
CJIN  records  in  NCIC.   NTA  Originating  Agency  Identifiers  (ORIs) 
are  not  programmatically  assigned  to  a  specific  terminal  agency 
for  service.   A  terminal  agency's  ORI  is  set  in  a  pre- formatted 
screen,  however,  it  can  be  overwritten  using  any  Montana  ORI. 
Presently,  any  Montana  ORI  can  be  used  at  any  terminal  to  enter, 
clear,  cancel,  or  modify  another  agency's  records. 

The  local  agency  review  determined  that  Cascade  County 
Sheriff's  Office  was  not  routinely  changing  the  ORI  to  indicate 
the  serviced  agency  for  NCIC  entries.   Also,  three  servicing 
agencies  were  using  their  own  ORI  when  making  inquiries  for 
serviced  agencies.   Agencies  must  be  restricted  through  State 
programming  to  entering  and  modifying  their  own  records  and  the 
records  of  agencies  that  they  service. 
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The  City  of  Billings,  Great  Falls,  and  Missoula 
Communications  Centers  are  the  only  interfaces  accessing 
NCIC/CJIN.   All  are  under  the  management  control  of  a  criminal 
justice  agency.   Appropriate  Management  Control  Agreements  are  on 
file  at  the  CTA. 

The  CTA  provides  authorized  terminal  agencies  full  NCIC 
capability  to  all  Files,  message  keys,  and  fields.   CJIN  also 
maintains  the  following  State  Files: 

-  Stolen  Vehicle 

-  Stolen  License  Plate 

-  Wanted  Person 

-  Criminal  History 

DISSEMINATION  OF  INFORMATION  AND  USER  INPUT 

The  NCIC  Operating  Manual,  NCIC  Code  Manual,  NCIC 
Technical  and  Operational  Updates,  CJIN  Newsletter,  and  manual 
revisions  are  disseminated  to  Terminal  Agency  Coordinators  (TACs) 
by  the  CJIN  Administrative  Officer.   Information  requiring 
immediate  attention  is  forwarded  on-line  to  all  terminal  agencies 
through  a  State  switcher.   NCIC  Auditors  found  that  terminal 
agencies  receive  NCIC/CJIN  publications  and  related  materials  in 
a  timely  manner. 

Annual  TAC  Conferences  are  held  to  provide  TACs  with 
the  opportunity  to  submit  ideas  for  NCIC  Regional  Working  Group 
(RWG)  meetings.   Each  two-day  conference  is  held  in  two  different 
locations  to  facilitate  attendance.   The  TACs  are  also  given 
questionnaires  to  mail  back  at  a  later  date.   Feedback  from  the 
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NCIC  RWG  meetings  is  documented,  and  relevant  information  that 
directly  affects  users  is  distributed  through  the  CJIN  on-line 
News  File. 

■ 

TRAINING 

The  CTA  requires  training  for  terminal  operators, 
criminal  justice  practitioners,  sworn  personnel,  and  upper  level 
managers  and  agency  administrators  who  utilize  NCIC/CJIN 
information.   The  CJIN  Trainer  is  responsible  for  training  all 
TACs,  who  are  then  responsible  for  training  their  agency's 
terminal  operators.   The  CJIN  Training  program  is  in  full 
compliance  with  NCIC  policy  and  remains  unchanged  since  the 
previous  audit . 

The  CJIN  Training  program  recently  qualified  to  receive 
"Police  Officer  Standards  Training"  ("POST")  credits.   A  police 

officer,  who  is  also  trained  as  a  terminal  operator,  can  receive 

up  to  66  "POST"  credits  for  initial  training,  and  up  to  8  "POST" 

credits  for  each  recertif ication. 

The  local  agency  review  determined  all  113  terminal 

operators  identified  had  been  trained  and  certified  in  accordance 

with  NCIC  Training  requirements. 

PERSONNEL.  PHYSICAL.  AND  TECHNICAL  SECURITY 

The  Montana  Codes  Annotated,  44-5-405,  requires  all  CTA 

personnel  to  undergo  an  extensive  background  investigation.   This 

includes  a  check  of  III  and  State  Criminal  History  Files; 

however,  it  does  not  include  the  submission  of  a  fingerprint 

card.   Montana  State  policy  does  not  require  local  agencies  to 
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submit  applicant  fingerprint  cards  for  positive  identification. 
However,  the  local  agency  review  determined  all  seven  agencies 
reviewed  fingerprinted  employees  accessing  NCIC/CJIN  information. 
The  Administrative  Officer  is  the  Security  Officer  (SO) 
for  CJIN.   The  SO  is  responsible  for  the  continuing  operation  of 
all  personnel,  physical,  and  computer  software  safeguards. 
Physical  security  inspections  are  performed  at  local  agencies 
prior  to  terminal  installation.   System  security  is  controlled 
programmatically  at  the  CTA  through  the  ORI  and  a  terminal 
station  number.   System  security  procedures  are  effective  and 
remain  unchanged  since  the  previous  NCIC  Audit. 
Ill 

CJIN  maintains  an  automated  log  of  all  III  transactions 
for  a  minimum  of  one  year.   The  log,  which  contains  a  mandatory 
Attention  (ATN)  Field  for  all  III  inquiries,  is  in  compliance 
with  NCIC  policy.   CJIN  policy  requires  any  secondary 
dissemination  of  III  to  be  logged  using  the  automated  log. 
Requestors  from  serviced  agencies  must  be  identified  in  the  ATN 
Field. 

Assessment  of  III  policy  at  the  local  agencies  reviewed 
determined  one  agency  was  conducting  III  inquiries  on  foster 
parents  for  Lake  County  Social  and  Rehabilitative  Services.   NCIC 
Auditors  also  determined  four  agencies  were  not  routinely 
identifying  the  requestor  in  the  ATN  Field  and  one  agency  was 
improperly  disposing  of  III  printouts.   Three  agencies  were  using 
Purpose  Code  "C"  instead  of  "F"  for  firearms-related  III 
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inquiries.   Additionally,  one  agency  was  using  Purpose  Code  "C" 
instead  of  "J"  for  criminal  justice  employment  checks. 
STATE  AUDIT  PROGRAM 

The  CJIN  "self-audit"  program  became  fully  operational 
in  October  1989,  with  the  purpose  of  ensuring  compliance  with 
Federal  and  State  policies  and  regulations.   The  CJIN  Audit 
program  is  in  compliance  with  the  NCIC  requirement  for  biennial 
audits  of  all  terminal  agencies.   CJIN  had  just  completed  the 
third  cycle  of  local  agency  audits  in  June  1994.   The  State  will 
begin  the  fourth  cycle  when  a  new  State  Auditor  has  been  fully 
trained. 

The  "self-audit"  packet  consists  of  an  extensive 
compliance  review  of  all  major  NCIC/CJIN  policies,  including 
access  and  control  of  the  terminal,  security  of  personnel, 
dissemination  of  reference  material,  training,  validations,  and  a 
data  quality  review.   A  written  report  is  subsequently  prepared 
and  forwarded  to  the  agency  approximately  one  to  two  months  after 
submission  of  the  "self -audit"  packet.   The  CTO  is  available  for 
a  follow-up  conference  for  agencies  with  recurring  policy 
violations. 

The  NCIC  local  agency  review  included  seven  agencies 
previously  audited  by  CJIN.   The  CJIN  Audit  identified  one  policy 
violation  which  has  not  been  resolved.   The  recurring  violation 
involved  improper  purpose  code  use  for  III  inquiries.   However, 
three  III  policy  violations  were  not  identified  during  CJIN 
Audits.   NCIC  Auditors  determined  agencies  were  utilizing  III  for 


Page  63 


inquiries  on  foster  parents  for  Lake  County  Social  and 
Rehabilitative  Services,  improperly  completing  the  ATN  Field,  and 
improperly  disposing  of  III  printouts. 
STATE  QUALITY  ASSURANCE  PROCEDURES 

The  CJIN  Quality  Control  Staff  (QCS)  is  responsible  for 
mailing  monthly  validation  printouts  to  each  ORI  on  record. 
Validation  procedures  remain  unchanged  since  the  previous  audit. 
Failure  to  return  a  completed  validation  within  four  weeks  will 
result  in  the  purge  of  an  agency's  records.   During  the  past  two 
years,  CJIN  did  not  find  it  necessary  to  purge  records  from  any 
agencies  due  to  noncompliance  with  the  validation  policy. 
Results  of  the  local  agency  review  reflected  all  agencies  were  in 
compliance  with  wanted  person,  vehicle,  and  missing  person 
validation  procedures. 

The  QCS  monitors  hit  confirmation  requests,  24  hours  a 
day,  seven  days  a  week,  and  is  responsible  for  State  quality 
control  measures.   The  CTA  will  telephone  all  terminal  agencies 
not  responding  to  second  and  third  requests  for  hit  confirmation, 
to  determine  the  reason  for  the  delay.   The  local  agency  review 
determined  that  all  agencies  were  performing  a  second-party  check 
on  the  Wanted  Person,  Vehicle,  and  Missing  Person  Files. 
SYSTEM  AVAILABILITY 

The  average  System  availability  time  for  the  six-month 
period  beginning  December  1,  1993,  was  99.0%,  in  compliance  with 
the  NCIC  standard  of  96%. 
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SYSTEM  RESPONSE  TIME 

NCIC  "hot"  File  response  time  was  measured  at  six 
direct -line  agencies.   The  average  response  time  at  the 
direct-line  agencies  was  8.34  seconds,  within  the  NCIC  standard 
of  12.0  seconds.   Ill  response  time  was  also  measured  at  six 
direct-line  agencies.   The  average  response  time  at  the 
direct-line  agencies  was  13.44  seconds,  within  the  NCIC  standard 
of  15.0  seconds. 

NCIC  "hot"  File  response  time  was  measured  at  one 
interface  agency.   The  average  response  time  at  the  interface 
agency  was  6.56  seconds,  within  the  NCIC  standard  of  22.0 
seconds.   Ill  response  time  was  also  measured  at  one  interface 
agency.   The  average  response  time  at  the  interface  agency  was 
23.67  seconds,  within  the  NCIC  standard  of  25.0  seconds. 
DATA  QUALITY  ASSESSMENT 

During  the  local  agency  review,  100  wanted  person 
entries  were  compared  against  agency  files,  original  warrants, 
and  court  consultations.   All  were  valid  in  that  the  warrants 
were  still  active  and  accurate  according  to  supporting 
documentation.   Two  of  the  entries  were  on  subjects  who  were 
incarcerated  in  another  jurisdiction.   This  is  a  violation  of 
NCIC  policy  in  that  the  location  of  the  subject  was  known. 

One  hundred  vehicle  entries  were  reviewed  against  case 
files.   Ninety-nine  (.9900  +/-  .0256,  99%  level  of  confidence) 
were  determined  to  be  valid  in  that  the  vehicles  had  not  been 
recovered.   All  of  the  valid  entries  were  accurate  according  to 
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supporting  documentation.   One  vehicle  was  recovered  as  a  result 
of  60  letters  sent  to  owners/complainants. 

Twenty-seven  missing  person  entries  were  reviewed 
against  agency  case  files.   Seventeen  (.6296  +/-  .2393)  of  the 
entries  were  valid  in  that  the  missing  persons  had  not  been 
located.   One  invalid  entry  was  identified  through  case  file 
review.   The  remaining  invalid  missing  person  entries  were 
identified  through  24  contacts  completed  by  local  agency 
personnel.   All  of  the  valid  entries  were  accurate  according  to 
supporting  documentation. 
RECORD  COMPLETENESS 

All  100  wanted  person  entries  were  compared  with  III 
records  to  determine  whether  additional  identifying  data  could  be 
added  to  the  entries  to  make  them  more  complete.   On  the  basis  of 
these  inquiries,  ten  entries  were  found  to  be  incomplete. 
Additional  available  data  included:   aliases,  dates  of  birth, 
Social  Security  Numbers,  fingerprint  classification  numbers,  FBI 
Numbers,  and  scars,  marks,  and  tattoos. 

Review  of  the  local  agency  case  files,  warrants,  and 
other  supporting  documents  revealed  critical  information  absent 
from  three  wanted  person  entries . 
RECORD  TIMELINESS 

All  records  reviewed  had  been  entered  in  a  timely 
manner . 
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MONTANA 
RESULTS  OF  PREVIOUS  AUDIT 

The  previous  NCIC  Audit  was  completed  January  1992. 

The  following  recommendations  were  made  at  that  time: 

O         That  the  CTA  ensure  the  appropriate 

technical  and  administrative  controls  are 
established  for  terminal  agencies  and  the 
NTAs  they  service. 

Action:   The  CTA  has  not  had  the  opportunity  to  design  such  a 

modification  due  to  turnover  on  the  programming  staff.   This 

continues  to  be  a  recommendation. 

0         That  the  CTA  training  program  be  expanded 
to  include  all  aspects  of  the  training 
program  mandated  by  the  NCIC  Advisory 
Policy  Board. 

Action:   At  the  time  of  the  most  recent  NCIC  Audit,  the  local 

agency  review  determined  that  all  113  terminal  operators 

identified  had  been  trained  and  tested  in  accordance  with  NCIC 

Training  requirements. 

0         That  the  CTA  comply  with  the  NCIC  policy 
requiring  biennial  audits  of  all  terminal 
agencies. 

Action:    The  CJIN  Audit  program  is  in  compliance  with  the  NCIC 

requirement  for  biennial  audits  of  all  terminal  agencies. 

0         That  CJIN  take  immediate  steps  to 

ensure  local  agency  compliance  with 
validation  procedures  for  the  Wanted 
Person,  Vehicle,  and  Missing  Person  Files. 

Action:    Results  of  the  local  agency  review  reflected 

compliance  with  the  Wanted  Person,  Vehicle,  and  Missing  Person 

File  validation  procedure. 
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0         That  the  CTA  monitor  local  agency  use  of 

III  to  ensure  compliance  with  NCIC  policy. 

Action :   Assessment  of  the  III  File  at  the  local  agencies 

reviewed  identified  improper  use  of  III  information,  the  ATN 

Field,  purpose  codes,  and  improper  disposal  of  III  printouts. 

CONCLUSIONS : 

The  1994  Montana  Audit  determined  that  the  CJIN  Audit 

and  Training  programs  are  in  compliance  with  NCIC  requirements. 

Even  though  CJIN  continues  to  improve  existing  programs  in  order 

to  achieve  compliance  with  NCIC  policy,  local  agency  compliance 

with  III  policy  mandates  still  has  not  been  achieved.   The  CTA 

should  implement  the  following  recommendations: 

0         That  the  CJIN  Audit  and  Training  programs  closely 
address  and  monitor: 

-  proper  use  of  III  information 

-  proper  purpose  code  use 

-  proper  use  of  the  ATN  Field 

-  proper  disposal  of  III  printouts 

0         That  the  CTA  ensure  appropriate  technical  controls  are 
established  for  terminal  agencies  and  the  NTAs  they 
service. 

0         That  variations  noted  herein,  but  not  the  subject  of  a 
specific  recommendation,  be  reviewed  for  any  required 
corrective  action. 
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stopped.   The  ORI  table  will  attach  ORI ' s  to  terminal  sites  that 
either  own  the  ORI  or  manage  records  for  the  ORI  supported  by  a 
Non-terminal  Agency  Agreement.   It  is  estimated  that  this  change 
will  be  in  place  by  the  end  of  the  2nd  quarter  of  1995." 
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MONTANA 
AGENCY  COMMENTS 

•The  CTO  has  reviewed  the  audit  report  and  has  made  the 

following  comments  regarding  the  post  audit  recommendations: 

0         That  the  CJIN  Audit  and  Training  programs  closely 
address  and  monitor: 

-  proper  use  of  III  information 

-  proper  purpose  code  use 

-  proper  use  of  the  ATN  Field 

-  proper  disposal  of  III  printouts 

CTO  Response  -  "The  CJIN  Audit  and  Training  programs  will  closely 

address  and  monitor  the  III  infractions  addressed  in  the  NCIC 

audit.   The  local  agencies  that  were  audited  by  NCIC  have 

received  the  results  of  the  audit,  and  the  CJIN  auditor  will  do  a 

follow-up  with  these  agencies.   In  general,  the  CJIN  audit 

program  will  closely  watch  for  these  III  infractions  with  all 

agencies.   CJIN  training  will  emphasize  these  areas  of 

noncompliance  also.   The  next  issue  of  the  CJIN  quarterly 

newsletter  will  be  addressing  the  findings  of  the  NCIC  audit,  and 

the  next  TAC  conference  will  also  address  these  items." 

0         That  the  CTA  ensure  appropriate  technical  controls  are 
established  for  terminal  agencies  and  the  NTAs  they 
service. 

CTO  Response  -  "After  re-evaluation  of  this  situation,  our 

programmer  still  supports  the  original  plan  to  verify 

transactions  against  a  look-up  table  that  would  contain  a  list  of 

ORI ' s  and  corresponding  physical  site  network  addresses.   If  a 

transaction  is  originating  from  a  site  that  does  not  have  ORI 

authorization  according  to  the  table,  the  transaction  will  be 
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MAY-18-1995   14:33         MOTOR  UEHICLE  DIUISION  1  406  444  1631   P. 02/02 

STATE  OF  MONTANA 

DEPARTMENT  OF  JUSTICE 

MOTOR  VEHICLE  DIVISION 

Title  A  Restoration  Bureau 

AaorB,S'G— ^  ^3S£^  D«rL«d«*MT  smi 


November  29,  199i 


Newell  B.  Anderson,  Administrator 
Local  Government  Assistance  Division 
Department  of  Commerce 
1424  9th  Avenue 
Helena,  MT  59620 

Dear  Mr.  Anderson: 

The  Motor  Vehicle  Division  of  the  Department  of  Justice  is 
responsible  for  the  titling  and  registration  of  motor  vehicles  in 
Montana.  The  process  is  initiated  at  the  county  treasurer 
offices  with  the  county  treasurers  and  their  staff  acting  as  our 
agents.  We  were  fortunate  to  have  been  able  to  automate  all  of 
the  counties  in  1992  and  now  have  a  statewide  on-line  motor 
vehicle  automated  system. 

Earlier  this  year  the  Electronic  Data  Processing  System  of  the 
Department  of  Justice  was  audited  by  the  Office  of  the 
Legislative  Auditor.  At  the  local  level,  the  auditors  examined 
system  security,  user  authority,  office  supervision,  monitoring 
ox  system  reports  and  system  edits  as  well  as  other  areas.  As  an 
example  of  their  concerns,  it  was  apparent  that  a  county  clerk 
could  register  their  own  vehicle  and  alter  the  vehicle's  value 
for  their  own  benefit. 

One  of  the  audit  recommendations  was  that  the  Motor  Vehicle 
Division  coordinate  with  the  Department  of  Commerce  in  reviewing 
computer  access  and  management  controls  at  the  county  level.  We 
have  always  had  a  pleasant  working  relationship  with  your  Local 
Government  Services  Bureau  and  continue  to  offer  our  assistance 
in  any  way  we  can  to  enhance  your  audit  procedures  of  local 
government  as  it  pertains  to  the  offices  of  the  county  treasurer. 

Please  let  us  know  if  we  can  be  of  service. 
Sincerely, 


Daryll  E.  Schoen,  Chief 
Title  and  Registration  Bureau 
Motor  Vehicle  Division 
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The  Supreme  Court  of  Montana 

Office  of  the  Court  Administrator 


PATRICK  A.  CHENOVICK 
Court  Administrator 


Justice  Building  Room  315 

215  North  Sanders 

P.O.  Box  203002 

Helena,  Montana  59620-3002 

Telephone  (406)  444-2621 

FAX  (406)  444-3274 


May  8,  1995 


Mary  Bryson 

Deputy  Legislative  Auditor 

Office  of  the  Legislative  Auditor 

Capitol  Station 

Helena,   Montana     59620 


LEGISLATIVE  AUDITO 


Dear  Ms.  Bryson: 

Per  your  request  for  written  reply  to  the  follow  -  up  report  on  the  May  1993  audit  of  the 
Department  of  Justice  EDP  area,  I  am  submitting  the  following. 

The  Judiciary  and  the  Department  of  Justice  have  continued  to  increase  communication  in 
areas  discussed  in  the  audit.  This  office  is  currently  collaborating  with  the  Department  to 
obtain  Federal  funds  to  begin  the  process  of  data  exchange  between  the  Judicial  Case 
Management  System,  the  Criminal  Records  Information  Program,  and  the  Department  of 
Corrections  database.  It  is  hoped  that  the  federal  funds  will  provide  a  method  to  ascertain  the 
common  information  areas  that  can  be  developed  in  a  cohesive  manner  to  allow  easier 
information  exchange. 

The  Department  of  Justice  named  the  Administrator  of  the  Supreme  Court  to  be  a  member 
of  the  Criminal  Records  Information  Program  task  force.  This  involvement  will  further  the 
opened  dialogue  that  was  inaugurate  by  the  DOJ  liaison. 


Sincerely 


Patrick  A.  Chenovick 
Supreme  Court  Administrator 
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MONTANA 
DEPARTMENT  OF  COMMERCE 


Director's  Office 

1424  9th  Avenue  PO  Box  200501 
Helena,  MT  59620-0501 


Phone:  (406)444-3494 
FAX:  (406)444-2903 
TDD:  (406)444-2978 


May  12,  1995 


[pimii 
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LEGISLATIVE  AUDITOR 


Mr.  Scott  A.  Seacat 
Legislative  Auditor 
State  Capitol 
Helena,  MT  59620 

Dear  Mr.  Seacat: 


Thank  you  for  the  opportunity  to  respond  to  the  follow-up  report  on  the  Department  of 
Justice  1993  EDP  audit  report,  which  had  two  recommendations  concerning  the 
Department  of  Commerce. 

Enclosed  is  our  response,  from  the  Local  Government  Assistance  Division,  for  the 
follow-up  report. 


Sincere 


>n  D.  Noel 
Enclosure 
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"Working  Together  to  Make  It  Work" 


Original  p»«r>mmendation  #  18 

B.  Coordinate  with  the  Department  of  Commerce  in  reviewing 

computer  access  and  management  controls. 

Original  Agency  Response  (Dept.  Of  Justice) 

B.  We  concur.  The  Motor  Vehicle  Division  will  offer  our 
assistance  to  the  Department  of  Commerce  to  enhance  their  audit 
procedures  of  county  motor  vehicle  offices. 

FollOW-up  Response     (Dept.    Of   nnmm&rne*) 

B.  The  Department  of  Commerce,  effective  7/1/95,  will  no  longer 
be  performing,  with  state  staff,  audits  of  county  governments.  As 
such,  issues  such  as  this  (internal  controls)  will  in  the  future 
have  to  be  addressed  to  the  new  Fiscal  and  Management  Systems 
program  and  will  be  handled  as  state  resources  are  available. 

Original  BejaoflffiffladafclfiB  I  22 

We  recommend  the  department  coordinate  with  the  Department  of 
Commerce  to  help  local  government  agencies  establish  effective 
controls  over  the  Registration  and  Titling  function. 

Original  Agency  Response  (Dept.  Of  Justice) 

We  concur.  However,  it  must  be  understood  that  in  a  majority  of 
the  smaller  counties  with  a  very  small  staff  there  may  be  no 
other  person  to  perform  these  functions. 

Follow-up  Response    (Dept.   Of  r.nmmerce) 

The  Department  of  Commerce,  effective  7/1/95,  will  no  longer  be 
performing,  with  state  staff,  audits  of  county  governments.  As 
such,  issues  such  as  this  (internal  controls)  will  in  the  future 
have  to  be  addressed  to  the  new  Fiscal  and  Management  Systems 
program  and  will  be  handled  as  state  resources  are  available. 
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